Community discussions

MikroTik App
 
ekkas
Long time Member
Long time Member
Topic Author
Posts: 562
Joined: Mon Sep 26, 2005 1:01 pm
Location: South Africa

DNS proxy issue

Tue Nov 12, 2013 12:37 pm

Problem with ROS 6.6 but it started in 6.5 with DNS, basically caused slow browsing and random page timeouts.

We started getting timeouts on some websites and general Internet slowdown. It seemed to get progressively worse.
We restart main router and all is fine for sometimes a day, sometimes an hour.

We narrowed it down to, it seems Mikrotik DNS proxy, but I did not go into depths as I have a network that was slow/down so we made some changes as workaround. I still have a case that is not behaving as expected unless I'm missing something.
The DNS proxy used here (10.1.1.100) was a MT but changed to Linux Named/Bind server since, but results are same.
The domain being looked up is a split-horizon domain set up on the server.

SXT:
[admin@] /ip dns> pr
                servers: 10.1.1.100
        dynamic-servers: 
  allow-remote-requests: yes
    max-udp-packet-size: 512
   query-server-timeout: 2s
    query-total-timeout: 10s
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 266KiB
PC:
Ethernet adapter Local Area Connection:

   IPv4 Address. . . . . . . . . . . : 192.168.0.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.1 <-SXT
If I do a lookup from PC directly to the Named server hosted domain, it works, but proxy via SXT does not.
However most other domains/hosts work, for some reason some requests are ignored.

Directly from PC to server:
C:\Users\User>nslookup www.true.co.za 10.1.1.100
Server:  UnKnown
Address:  10.1.1.100

Name:    true.co.za
Address:  72.9.231.106
Aliases:  www.true.co.za
From PC via SXT pointing to server:
C:\Users\User>nslookup www.true.co.za 192.168.0.1
Server: UnKnown
Address: 192.168.0.1

*** UnKnown can't find www.true.co.za: Non-existent domain
Also trying to ping hostname on SXT:
[admin@Ekkas] > /ping www.true.co.za
invalid value for argument address:
    invalid value of mac-address, mac address required
    invalid value for argument ipv6-address
    while resolving ip-address: name does not exist
What is strange is how this seemingly started to creep in and got worse to the point where +-50% of clients experienced some browsing issues.
Anyone experienced something like this or have some pointers for me to look at?
No filter/mangle/nat on the SXT apart from masquerade. No other rules on hops between SXT and 10.1.1.100 (DNS server).

Regards
 
User avatar
hendry
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sat Jan 18, 2014 9:59 am
Location: Singapore
Contact:

Re: DNS proxy issue

Tue Jan 28, 2014 4:26 am

I tried to file a bug about this DNS issue but the bug tracker captcha does not work: http://s.natalian.org/2014-01-28/139087 ... 64x748.png
[admin@MikroTik] /ip dns> print
                servers: 8.8.4.4,8.8.8.8
        dynamic-servers: 165.21.83.88,165.21.100.88
  allow-remote-requests: yes
    max-udp-packet-size: 4096
   query-server-timeout: 2s
    query-total-timeout: 10s
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 187KiB
When I test any of 8.8.4.4,8.8.8.8,165.21.83.88,165.21.100.88 via dig, e.g.
dig foobar4.dabase.com @8.8.8.8
It's good and fast.

However the MikroTik DNS proxy is buggered. http://ix.io/a9O

Wrong initial results and slow. Absolute disaster.
RouterBOARD 4xRB952Ui-5ac2nD & 1xRB952Ui-5ac2nD
https://natalian.org/2017/08/20/Choosin ... _Ubiquiti/
 
Rudios
Forum Veteran
Forum Veteran
Posts: 966
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: DNS proxy issue

Wed Jan 29, 2014 8:39 am

Problem with ROS 6.6 but it started in 6.5 with DNS, basically caused slow browsing and random page timeouts.

We started getting timeouts on some websites and general Internet slowdown. It seemed to get progressively worse.
We restart main router and all is fine for sometimes a day, sometimes an hour.

We narrowed it down to, it seems Mikrotik DNS proxy, but I did not go into depths as I have a network that was slow/down so we made some changes as workaround. I still have a case that is not behaving as expected unless I'm missing something.
The DNS proxy used here (10.1.1.100) was a MT but changed to Linux Named/Bind server since, but results are same.
The domain being looked up is a split-horizon domain set up on the server.

SXT:
[admin@] /ip dns> pr
                servers: 10.1.1.100
        dynamic-servers: 
  allow-remote-requests: yes
    max-udp-packet-size: 512
   query-server-timeout: 2s
    query-total-timeout: 10s
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 266KiB
PC:
Ethernet adapter Local Area Connection:

   IPv4 Address. . . . . . . . . . . : 192.168.0.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.1 <-SXT
If I do a lookup from PC directly to the Named server hosted domain, it works, but proxy via SXT does not.
However most other domains/hosts work, for some reason some requests are ignored.

Directly from PC to server:
C:\Users\User>nslookup www.true.co.za 10.1.1.100
Server:  UnKnown
Address:  10.1.1.100

Name:    true.co.za
Address:  72.9.231.106
Aliases:  www.true.co.za
From PC via SXT pointing to server:
C:\Users\User>nslookup http://www.true.co.za 192.168.0.1
Server: UnKnown
Address: 192.168.0.1

*** UnKnown can't find http://www.true.co.za: Non-existent domain
Also trying to ping hostname on SXT:
[admin@Ekkas] > /ping www.true.co.za
invalid value for argument address:
    invalid value of mac-address, mac address required
    invalid value for argument ipv6-address
    while resolving ip-address: name does not exist
What is strange is how this seemingly started to creep in and got worse to the point where +-50% of clients experienced some browsing issues.
Anyone experienced something like this or have some pointers for me to look at?
No filter/mangle/nat on the SXT apart from masquerade. No other rules on hops between SXT and 10.1.1.100 (DNS server).

Regards
It seems to me that the RouterBoard is unable to reach the specified DNS server. Strange if the PC behind it can reach it.
Testing setup with: 2 x RB750UP | 2 x RB750GL | 1 x RB951G-2HnD | 1 x RB2011UiAS-IN
 
User avatar
LouisVisagie
just joined
Posts: 6
Joined: Wed May 29, 2013 9:32 pm
Location: South Africa

Re: DNS proxy issue

Wed Feb 19, 2014 5:56 pm

We are experiencing this exact same issue.
 
synclpz
just joined
Posts: 1
Joined: Sun Mar 16, 2014 4:27 pm

Re: DNS proxy issue

Sun Mar 16, 2014 4:33 pm

Just faced the same issue, after some investigation it appears that RouterOS was working ok, but had been exposed to a DNS attack described here http://dnsamplificationattacks.blogspot ... einfo.html

The router was under a heavy DDoS - thousands of ahuyehue.info records in cache, constantly updating at data rate ~3mbps!

The problem was that after switching to PPPoE I had not configured firewall rule to block "input" traffic from ppp... By default, mikrotik blocks only traffic from eth/sfp ISP interfaces, not ppp.
 
User avatar
hendry
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sat Jan 18, 2014 9:59 am
Location: Singapore
Contact:

Re: DNS proxy issue

Mon Mar 17, 2014 10:57 am

Ah... that makes sense. I need to firewall these ports ASAP.
x220:~$ sudo nmap 121.7.219.77
Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-17 16:54 SGT
Nmap scan report for bb121-7-219-77.singnet.com.sg (121.7.219.77)
Host is up (0.015s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
2000/tcp open  cisco-sccp
Nmap done: 1 IP address (1 host up) scanned in 4.25 seconds
Is there a guide to doing this is WebFIG I wonder? Surprised this is not the default, to block all incoming ports.
RouterBOARD 4xRB952Ui-5ac2nD & 1xRB952Ui-5ac2nD
https://natalian.org/2017/08/20/Choosin ... _Ubiquiti/
 
User avatar
sguox
Trainer
Trainer
Posts: 73
Joined: Fri Mar 09, 2012 6:23 pm

Re: DNS proxy issue

Mon Mar 17, 2014 11:03 am

Ah... that makes sense. I need to firewall these ports ASAP.
x220:~$ sudo nmap 121.7.219.77
Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-17 16:54 SGT
Nmap scan report for bb121-7-219-77.singnet.com.sg (121.7.219.77)
Host is up (0.015s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
2000/tcp open  cisco-sccp
Nmap done: 1 IP address (1 host up) scanned in 4.25 seconds
Is there a guide to doing this is WebFIG I wonder? Surprised this is not the default, to block all incoming ports.
The default firewall is dropping any new connection from WAN (default WAN is ether1).
 
User avatar
hendry
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sat Jan 18, 2014 9:59 am
Location: Singapore
Contact:

Re: DNS proxy issue

Mon Mar 17, 2014 11:08 am

The default firewall is dropping any new connection from WAN (default WAN is ether1).
Oh, are you saying perhaps that my connection to the fiber modem is off the wrong port maybe? Hmmm.

IIUC my internet connection goes out upon ether1-gateway which looks the same as vlan1.
RouterBOARD 4xRB952Ui-5ac2nD & 1xRB952Ui-5ac2nD
https://natalian.org/2017/08/20/Choosin ... _Ubiquiti/
 
User avatar
sguox
Trainer
Trainer
Posts: 73
Joined: Fri Mar 09, 2012 6:23 pm

Re: DNS proxy issue

Mon Mar 17, 2014 11:29 am

The default firewall is dropping any new connection from WAN (default WAN is ether1).
Oh, are you saying perhaps that my connection to the fiber modem is off the wrong port maybe? Hmmm.

IIUC my internet connection goes out upon ether1-gateway which looks the same as vlan1.
if you are on VLAN, the firewall interface should be the VLAN interface, not the physical interface. You can change this on each rule in IP>Firewall>Filter
 
und3ath
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Mon Mar 23, 2009 7:01 pm

Re: DNS proxy issue

Tue Mar 18, 2014 11:55 pm

Exactly the same issue by me. DNS resolving is incredible slow from last friday (14.3.2014)
When I use Mikrotik DNS cache, it is slow, but when I change DNS on my PC to IP of my ISP, it is working ok.

Who is online

Users browsing this forum: andriys, Feche, Google Feedfetcher, MSN [Bot], rednib and 193 guests