Community discussions

MikroTik App
 
laurenettaieb91
just joined
Topic Author
Posts: 13
Joined: Sat Dec 31, 2022 3:41 pm

DNS Issue

Mon Sep 09, 2024 12:57 am

Hi Mikrotik users,
I have an issue with my CCR1036.
I have configured the DNS configuration to make the routeur a cache server with:
- Static DNS: My NAS on the LAN who manages local addresses
- OpenDNS Servers
- Dynamic servers (uplink routers)

I have set the router address in the DHCP configuration of the LAN.

It works but after a couple of min, the requests are either generating a timeout or the responses are seriously delayed.
I checked the logs and couldn't find any error.

Any help is welcome.
Thanks
 
User avatar
vingjfg
Member
Member
Posts: 389
Joined: Fri Oct 20, 2023 1:45 pm

Re: DNS Issue

Mon Sep 09, 2024 8:12 am

Hi there. What version are you running?

Can you send an export of your dns config?

When you have the issue, how many entries are in the dns cache?
 
laurenettaieb91
just joined
Topic Author
Posts: 13
Joined: Sat Dec 31, 2022 3:41 pm

Re: DNS Issue

Mon Sep 09, 2024 3:01 pm

Sure,
I'm running v7.15 of the firmware on a CCR1036-8G-2S+.
My DNS records are as follows:
My Local DNS server on the LAN (SYNOLOGY NAS DNS Server)

then public DNS servers:
208.67.220.220
208.67.220.222
208.67.222.220

Dynamic Servers:
The 2 ISP access router addresses (FTTH & 5G)
VRF : main
Max UDP packet size: 4096
Query Server time out: 2000
Query total time out: 10000

When I refer to the local DNS server in the DHCP configuration, everything works smooth but obviously the router cache isn't used...

I look to have less than 300 records in the Draft.

Thanks
Laurent
 
laurenettaieb91
just joined
Topic Author
Posts: 13
Joined: Sat Dec 31, 2022 3:41 pm

Re: DNS Issue

Tue Sep 10, 2024 8:54 pm

i found the issue I guess.
When using other DNS servers than:
208.67.220.220
208.67.220.222
208.67.222.220

it works well.
Not sure why
 
laurenettaieb91
just joined
Topic Author
Posts: 13
Joined: Sat Dec 31, 2022 3:41 pm

Re: DNS Issue

Wed Sep 11, 2024 1:20 am

was optimistic. still very slow in resolving names...
 
MTNick
Frequent Visitor
Frequent Visitor
Posts: 91
Joined: Fri Nov 24, 2023 6:43 am

Re: DNS Issue

Wed Sep 11, 2024 4:26 pm

Greetings. Do you have allow remote requests enabled?

You can also export your config so it can be looked at, delete or mask any important info from it:
/export file=anyname
/ip dns
set allow-remote-requests=yes servers=76.76.2.2,76.76.10.2,1.1.1.2,1.1.1.1
 
laurenettaieb91
just joined
Topic Author
Posts: 13
Joined: Sat Dec 31, 2022 3:41 pm

Re: DNS Issue

Fri Sep 13, 2024 1:21 am

Here we are.
I have moved the DNS to my local DNS server (192.168.0.28) atmo as the router cache is not working the way it should be
# 2024-09-13 00:11:41 by RouterOS 7.15
# software id = NM5S-Y70D
#
# model = CCR1036-8G-2S+
# serial number = xxxxx

/ip pool


add address=192.168.0.0/24
dns-server=192.168.0.28 domain=familletaieb.fr gateway=192.168.0.1 \
netmask=24
/ip dns
set allow-remote-requests=yes cache-size=40960KiB servers=\
192.168.0.28,80.67.169.12,80.67.169.40
/ip dns adlist
add ssl-verify=no url=\
https://raw.githubusercontent.com/Steve ... ster/hosts

"Mail Attacker"
/ip firewall filter

add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=udp \
to-ports=53
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=tcp \
to-ports=53
/ip firewall raw
add action=drop chain=prerouting comment="Block DNS Requests from WAN" \
dst-port=53 in-interface-list=WAN log=yes log-prefix=\
"Prerouting Drop DNS Requests from the WAN" protocol=udp \
src-address-list=!Trusted_IP
 
MTNick
Frequent Visitor
Frequent Visitor
Posts: 91
Joined: Fri Nov 24, 2023 6:43 am

Re: DNS Issue

Fri Sep 13, 2024 4:32 am

Greetings. That's no where close to the config requested. If your goal is to have the Mikrotik handle the DNS requests, below is a firewall config that'll work. And it'll redirect any requests back to the Mikrotik. Also a better implementation to block any unauthorized DNS requests coming in on port 53 using Raw.

In the Mikrotik dhcp server, make sure your dns-server is specified. I've included this as well below.

Either copy what is below or edit your config/firewall as close as possible to it, including the order that they're in.

Edit: Forgot about the dhcp-client. If you're using a dhcp client for ISP, on like ether1, make sure "use peer dns" is unticked (off)

/ip dhcp-client
add interface=ether1 use-peer-dns=no 

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1

/ip dns
set allow-remote-requests=yes servers=208.67.220.220,208.67.220.222,208.67.222.220

/ip firewall address-list
add address=208.67.220.220 comment="Allowed DNS Servers" list=allowed_DNS
add address=208.67.220.222 list=allowed_DNS
add address=208.67.222.220 list=allowed_DNS

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid-input
add action=accept chain=input comment="defconf: accept to local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept all coming from LAN" in-interface-list=LAN
add action=drop chain=input comment="defconf: drop all else" log-prefix=DROP-else
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid
add action=accept chain=forward comment="defconf: internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="defconf: port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="defconf: drop all else" log=yes log-prefix=DROP-else

/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN 
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - TCP" dst-port=53 in-interface-list=LAN protocol=tcp to-ports=53
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - UDP" dst-port=53 in-interface-list=LAN log-prefix=redirect_DNS protocol=udp to-ports=53

/ip firewall raw
add action=drop chain=prerouting comment="drop non-legit DNS requests" dst-port=53 in-interface-list=WAN log-prefix=RAW-DROP-DNS-tcp protocol=tcp src-address-list=!allowed_DNS
add action=drop chain=prerouting dst-port=53 in-interface-list=WAN log-prefix=RAW-DROP-DNS-udp protocol=udp src-address-list=!allowed_DNS
 
laurenettaieb91
just joined
Topic Author
Posts: 13
Joined: Sat Dec 31, 2022 3:41 pm

Re: DNS Issue

Sat Sep 14, 2024 12:50 am

Thanks MTNick,
I'll try the config and let the forum knows if that works in my env.

Best
Laurent

Who is online

Users browsing this forum: neki and 27 guests