Community discussions

MikroTik App
 
SpaceCommander
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Fri Dec 26, 2008 3:35 am

How to intercept DNS requests to builtin server?

Mon May 03, 2010 7:44 pm

There is a Mikrotik box powered by RouterOS 3.10.
DNS server is enabled and works fine (answers are added to "/ip dns cache print").

How to intercept forwarding DNS requests from clients 10.20.30.0/24 to server 1.2.3.4 and redirect them to builtin DNS?

I tried so:
> /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0  ;;; Intercept DNS requests and handle them by builtin server
     chain=dstnat action=redirect to-ports=53 src-address=10.20.30.0/24
     dst-address=1.2.3.4 dst-port=53 protocol=udp

1  ;;; Intercept DNS requests and handle them by builtin server
     chain=dstnat action=redirect to-ports=53 src-address=10.20.30.0/24
     dst-address=1.2.3.4 dst-port=53 protocol=tcp
But "/ip firewall nat print stats" displays zero counters, and DNS cache still unchanged... :(
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1075
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: How to intercept DNS requests to builtin server?

Mon May 03, 2010 11:06 pm

Who is IP 1.2.3.4? is it Router itself or another server attached to the router?

If you are using action=redirect you can not use dst-address, it should be:

0 ;;; Intercept DNS requests and handle them by builtin server
chain=dstnat action=redirect to-ports=53 src-address=10.20.30.0/24
dst-port=53 protocol=udp

or if you want to forward the requests to another server it should be:

0 ;;; Intercept DNS requests and handle them by builtin server
chain=dstnat action=dst-nat to-ports=53 src-address=10.20.30.0/24
dst-address=1.2.3.4 dst-port=53 protocol=udp
 
SpaceCommander
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Fri Dec 26, 2008 3:35 am

Re: How to intercept DNS requests to builtin server?

Tue May 04, 2010 12:18 am

Who is IP 1.2.3.4? is it Router itself or another server attached to the router?
1.2.3.4 is IP-address of my external DNS server.
If you are using action=redirect you can not use dst-address, it should be:
I want to intercept DNS-requests to 1.2.3.4 only.
For example, requests to Google 8.8.8.8 and 8.8.4.4 should be forwarded as usual.
Anyway, even without dst-address, "action=redirect" does nothing.
if you want to forward the requests to another server it should be
I tried "action=dst-nat to-addresses=10.11.12.13" (where 10.11.12.13 is IP-address of Mikrotik box itself), with the same result... :(

It seems like packets are not handled by firewall at all.
Tools=>Packet sniffers displays them on ether1, but counters in the simple forward rule ("accept all from any to any on ether1") contains zero's.
 
rodolfo
Long time Member
Long time Member
Posts: 553
Joined: Sat Jul 05, 2008 11:50 am

Re: How to intercept DNS requests to builtin server?

Tue May 04, 2010 12:27 am

dst-nat must works.
have you enabled connection tracking ? do you use bridge ?
post the complete configof your firewall.
 
SpaceCommander
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Fri Dec 26, 2008 3:35 am

Re: How to intercept DNS requests to builtin server?

Tue May 04, 2010 12:28 am

I understood my problem: Mikrotik works as bridge, so layer3-firewall ignores transit packets.
Is it solvable?
Linux allows layer2 filtering using ebtables. Can Mikrotik do that?
 
rodolfo
Long time Member
Long time Member
Posts: 553
Joined: Sat Jul 05, 2008 11:50 am

Re: How to intercept DNS requests to builtin server?

Tue May 04, 2010 12:32 am

on bridge, settings try to enable 'use ip firewall'
 
User avatar
skillful
Trainer
Trainer
Posts: 552
Joined: Wed Sep 06, 2006 1:42 pm
Location: Abuja, Nigeria
Contact:

Re: How to intercept DNS requests to builtin server?

Tue May 04, 2010 12:41 am

I understood my problem: Mikrotik works as bridge, so layer3-firewall ignores transit packets.
Is it solvable?
Yes it is solvable. Set bridge interface to use firewall.
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
 
SpaceCommander
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Fri Dec 26, 2008 3:35 am

Re: How to intercept DNS requests to builtin server?

Tue May 04, 2010 12:43 am

on bridge, settings try to enable 'use ip firewall'
Thank you very much! :D
The solution was:
/interface bridge settings set use-ip-firewall=yes

Who is online

Users browsing this forum: EmuAGR, Google [Bot], GoogleOther [Bot] and 85 guests