Community discussions

MikroTik App
 
rviteri
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Fri Nov 18, 2011 5:53 pm

Redirect dns lookup of .local domain to a single DNS server

Wed Sep 03, 2014 5:47 am

Hi All,

I run a network over vpns and I am routing across the vpn multiple networks. I want to keep a central MK (say 10.0.11.254) with static DNS entries for machines across the network, so I am wondering how can each remote router perform a DNS request to this router (10.0.11.254) only when resolving hostnames that end with .local

Would this be done using REGEX?

Thanks!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2954
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Redirect dns lookup of .local domain to a single DNS ser

Fri Sep 05, 2014 2:03 am

actually is not possible.
I'm Italian, not English. Sorry for my imperfect grammar.
 
psamsig
Member Candidate
Member Candidate
Posts: 161
Joined: Sun Dec 06, 2009 1:36 pm
Location: Denmark

Re: Redirect dns lookup of .local domain to a single DNS ser

Sat Sep 06, 2014 2:56 am

Sure it is. Something like this should do the work. Requests comes in on 'ether1' aimed for the router and all requests for *.local will be redirected to 1.1.1.1
/ip firewall layer7-protocol
add name="DNS .local" regexp="\\x05local"

/ip firewall mangle
add chain=prerouting protocol=udp dst-port=53 in-interface=ether1 layer7-protocol="DNS .local" action=mark-packet new-packet-mark="DNS .local" passthrough=no

/ip firewall nat	
add chain=dstnat protocol=udp dst-port=53 in-interface=ether1 packet-mark="DNS .local" action=dst-nat to-addresses=1.1.1.1
add chain=srcnat protocol=udp dst-port=53 packet-mark="DNS .local" action=masquerade
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2954
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Redirect dns lookup of .local domain to a single DNS ser

Sat Sep 06, 2014 10:21 am

Sure it is. Something like this should do the work. Requests comes in on 'ether1' aimed for the router and all requests for *.local will be redirected to 1.1.1.1
/ip firewall layer7-protocol
add name="DNS .local" regexp="\\x05local"

/ip firewall mangle
add chain=prerouting protocol=udp dst-port=53 in-interface=ether1 layer7-protocol="DNS .local" action=mark-packet new-packet-mark="DNS .local" passthrough=no

/ip firewall nat	
add chain=dstnat protocol=udp dst-port=53 in-interface=ether1 packet-mark="DNS .local" action=dst-nat to-addresses=1.1.1.1
add chain=srcnat protocol=udp dst-port=53 packet-mark="DNS .local" action=masquerade
OK, some review and some hint.
/ip firewall layer7-protocol
add name="DNS .local" regexp="\\x05local" <-- This also match for example www.localtaxi.com, must be put the next character expected after the end of name inside DNS packet.

/ip firewall mangle
add chain=prerouting protocol=udp dst-port=53 in-interface=ether1 layer7-protocol="DNS .local" action=mark-packet new-packet-mark="DNS .local" passthrough=no
add chain=prerouting protocol=tcp dst-port=53 in-interface=ether1 layer7-protocol="DNS .local" action=mark-packet new-packet-mark="DNS .local" passthrough=no

/ip firewall nat	
add chain=dstnat protocol=udp dst-port=53 in-interface=ether1 packet-mark="DNS .local" action=dst-nat to-addresses=1.1.1.1
add chain=dstnat protocol=tcp dst-port=53 in-interface=ether1 packet-mark="DNS .local" action=dst-nat to-addresses=1.1.1.1
add chain=srcnat protocol=udp dst-port=53 packet-mark="DNS .local" action=masquerade <-- Tis is really needed?
add chain=srcnat protocol=tcp dst-port=53 packet-mark="DNS .local" action=masquerade <-- Tis is really needed?
I'm Italian, not English. Sorry for my imperfect grammar.
 
psamsig
Member Candidate
Member Candidate
Posts: 161
Joined: Sun Dec 06, 2009 1:36 pm
Location: Denmark

Re: Redirect dns lookup of .local domain to a single DNS ser

Sat Sep 06, 2014 11:22 am

Well you are right that you can false positive matches, but not with something like www.localtaxi.com, only with something like local.com or www.local.com (the \x05 part makes sure of that). I have tried a few ways to enhance it, and this filter even them out:
/ip firewall layer7-protocol
add name="DNS .local" regexp="\\x05local\\x01\\x01"
the L7 regex matcher filter out all \x00, so you can't match on them, but you can match on what it left

This only work for UDP DNS requests, TCP connections will already have been established before the data packet arrives, so it will be to late to redirect. So no need for TCP matching, on the other hand, if the DNS requests should be TCP based, then there is no way for RouterOS to redirect them, that would require a true DNS forwarder capability (hint hint nudge nudge MikroTik).

The masquerade NAT rule is needed, so replies comes back to the router, so it can be properly NATed back to the client, or they will be sent directly to the client form an unexpected host.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2954
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Redirect dns lookup of .local domain to a single DNS ser

Sat Sep 06, 2014 1:34 pm

Well done and well explained:

+2 Karma.
I'm Italian, not English. Sorry for my imperfect grammar.
 
bkuhn
Frequent Visitor
Frequent Visitor
Posts: 73
Joined: Fri Oct 15, 2010 12:17 am

Re: Redirect dns lookup of .local domain to a single DNS ser

Fri Dec 19, 2014 2:29 am

I will admit, I don't know anything about REGEX expressions.

Could you please tell me how to form the REGEX expression if I wanted a specific domain DNS redirected? Using your example above, it would be domain.com instead of domain.local. What does the /05x mean?
 
Sob
Forum Guru
Forum Guru
Posts: 5891
Joined: Mon Apr 20, 2009 9:11 pm

Re: Redirect dns lookup of .local domain to a single DNS ser

Fri Dec 19, 2014 7:53 am

\x05 = length of the following hostname part, that's how names are encoded in dns packets

domain.com => regexp="\\x06domain\\x03com"
domain.info => regexp="\\x06domain\\x04info"
test.com => regexp="\\x04test\\x03com"
domain.local => regexp="\\x06domain\\x05local"
sub.domain.test => regexp="\\x03\\x06domain\\x04test"

The trailing \\x01\\x01, to filter out false positives (as suggested by psamsig), looks like a good idea, but the first \\x01 is actually query type, so it will match A record queries only. To match all record types, this should work (but I can't test it now):

domain.com => regexp="\\x06domain\\x03com.\\x01"
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.

Who is online

Users browsing this forum: Sanalturkey, SysAdminKo, Znevna and 90 guests