Community discussions

MikroTik App
 
User avatar
Sky18
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sat Jan 13, 2018 9:21 am
Location: Germany

changing DNS does not work until reboot [Pi-hole related, specific dns for specific ip]

Wed Mar 03, 2021 10:55 pm

Hi,

I have 2 MT routers.
MT2 supports WLAN and has several virtual WLAN's. And is connected to MT1 - the main router
Every WLAN has its own IP address segment and address pool.
One of the virtual WLAN's is protected by an Pi-hole connected to a different IP segment on MT1.
During the day the kids should only surf school related.
So I entered as DNS server 192.168.177.185 (which is the Pi-hole) in the DHCP Network settings for this virtual WLAN (10.10.50.0/24).
Works fine.
But in the evening the kids should have full access to internet, without re-routing through the Pi-hole.
Therefore DNS servers are set to 8.8.8.8 and 4.4.4.4 in the DHCP Network settings for this virtual WLAN.
DHCP Network.jpg
The changes are not recognized by the system until MT2 (the WLAN router) is rebooted. ?:-|


To change the server settings I have to scheduled scripts:
Script 1
/ip dhcp-server network set 4 address=10.10.50.0/24 dns-server=8.8.8.8,4.4.4.4 gateway=10.10.50.1 comment="redirect DNS to 8.8.8.8+4.4.4.4"
Script 2
/ip dhcp-server network set 4 address=10.10.50.0/24 dns-server=192.169.177.185 gateway=10.10.50.1 comment="redirect DNS to Pi-hole 192.168.177.185"

What do I have to do that the DNS changes will be reflected in the connections promptly without rebooting MT2?

Thanks, Tom
You do not have the required permissions to view the files attached to this post.
Last edited by Sky18 on Tue Mar 09, 2021 7:40 pm, edited 2 times in total.
 
Emil66
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Tue Aug 28, 2018 2:09 am

Re: changing DNS does not work until reboot

Wed Mar 03, 2021 11:48 pm

The DHCP clients receive the DNS server addresses with their initial DHCP lease. Unless they disconnect from the network and reconnect, they do not get them again. If you want to make the change instantaneous, you can use NAT to redirect DNS requests to your filtering DNS server during the daytime.
 
User avatar
Sky18
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sat Jan 13, 2018 9:21 am
Location: Germany

Re: changing DNS does not work until reboot  [SOLVED]

Tue Mar 09, 2021 6:10 pm

The DHCP clients receive the DNS server addresses with their initial DHCP lease. Unless they disconnect from the network and reconnect, they do not get them again. If you want to make the change instantaneous, you can use NAT to redirect DNS requests to your filtering DNS server during the daytime.

Thanks Emil66!
This was the needed hint to figure out the final configuration.


Following code example forces the DNS requests for one device (192.168.177.254) to the Pi-hole (192.168.177.185).

NAT rules:
/ip firewall nat add action=dst-nat chain=dstnat comment="transparent Proxy Pi-hole" dst-address=!192.168.177.185 dst-port=53 protocol=udp src-address=192.168.177.254 to-addresses=192.168.177.185
/ip firewall nat add action=dst-nat chain=dstnat comment="transparent Proxy Pi-hole" dst-address=!192.168.177.185 dst-port=53 protocol=tcp src-address=192.168.177.254 to-addresses=192.168.177.185
/ip firewall nat add action=masquerade chain=srcnat comment="transparent Proxy Pi-hole" dst-address=192.168.177.185 dst-port=53 protocol=udp src-address=192.168.177.254
/ip firewall nat add action=masquerade chain=srcnat comment="transparent Proxy Pi-hole" dst-address=192.168.177.185 dst-port=53 protocol=tcp src-address=192.168.177.254

Firewall rules to block Chromium (e.g. Chrome, Vivaldi, upcoming Edge) internal DNS as this by-pass the Pi-hole:
/ip firewall filter add action=drop chain=forward comment="block chromium internal DNS 8.8.8.8+8.8.4.4 when \"transparent Proxy Pi-hole\" is active" dst-address=8.8.8.8 src-address=192.168.177.254 src-address-list=""
/ip firewall filter add action=drop chain=forward comment="block chromium internal DNS 8.8.8.8+8.8.4.4 when \"transparent Proxy Pi-hole\" is active" dst-address=8.8.4.4 src-address=192.168.177.254 src-address-list=""

Who is online

Users browsing this forum: No registered users and 25 guests