I'd like to set up my routers as caching DNS servers. However, at the same time, I don't want world+dog to be able to make DNS queries against them. Am I reading http://wiki.mikrotik.com/wiki/Manual:IP/DNS wrong, or is there no way to set an allow-hosts option for the DNS server? As far as I can tell, there's only two options -- do DNS for itself, or respond to DNS queries for any host anywhere on the Internet.

Make firewall filter rules in the input chain accepting UDP/TCP 53 traffic from sources you want to be able to use the router as a DNS server, and drop everything else.

Make firewall filter rules in the input chain accepting UDP/TCP 53 traffic from sources you want to be able to use the router as a DNS server, and drop everything else.

Now I feel stupid for not thinking of that myself. Thanks!

Addendum: Can I bind the DNS queries the router makes when populating its cache to an IP or do I need to let the router decide what address the request is coming from?

Not that I know of. The router will reliably choose the lowest IP address on the interface closest to the destination, though.

Not that I know of. The router will reliably choose the lowest IP address on the interface closest to the destination, though.

Which was private, and outside of the ACL for recursion on the DNS server it was populating the cache from. Easily fixed by updating the ACL, though.