Community discussions

MikroTik App
 
User avatar
abbio90
Member
Member
Topic Author
Posts: 437
Joined: Fri Aug 27, 2021 9:16 pm
Location: Oristano
Contact:

Force DNS request

Mon Nov 11, 2024 11:16 pm

I have an AdGuard container on mikrotik. It works perfectly. I wanted to make a node that if someone changes the dns in the network card all traffic is directed to AdGuard. I created this rule..
/ip firewall nat add chain=dstnat src-address-list=!pi-hole protocoll=udp dst-port=53 action=dst-nat to-address=10.1.1.2

where, 10.1.1.2 is the DNS server. is that all? or am I missing something?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21696
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Force DNS request

Tue Nov 12, 2024 5:06 am

1. Ensure all users requiring adguard have a forward chain allow rule to reach 10.1.1.2

2. You need two dstnat rules (one for udp and one for tcp) and protocol has to spelled correctly

SO
/ip firewall nat
add chain=dstnat src-address-list=!pi-hole protocol=udp dst-port=53 action=dst-nat to-address=10.1.1.2
add chain=dstnat src-address-list=!pi-hole protocol=tcp dst-port=53 action=dst-nat to-address=10.1.1.2


Assuming the source address list at a minimum includes 10.1.1.2 and perhaps any other devices not being pushed to adguard.
Also note in the dhcp server network for adquard be careful that you dont loop adguard to itself there either...

For example assuming 3 subnets, you should be doing this:
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=10.1.1.2 gateway=192.168.1.1
add address=192.168.2.0/24 comment=defconf dns-server=10.1.1.2 gateway=192.168.2.1
add address=10.1.1.0/24 comment=defconf dns-server=10.1.1.1 gateway=10.1.1.1
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12857
Joined: Thu Mar 03, 2016 10:23 pm

Re: Force DNS request

Tue Nov 12, 2024 1:53 pm

3. if LAN clients are on same subnet as pi-hole, then you need to implement the SRC NAT part of hairpin NAT
 
User avatar
abbio90
Member
Member
Topic Author
Posts: 437
Joined: Fri Aug 27, 2021 9:16 pm
Location: Oristano
Contact:

Re: Force DNS request

Tue Nov 12, 2024 4:13 pm

Adguard is in container in mikrotik itself so it has a veth /30 the clients are on multiple vlans with different subnets to the server
 
User avatar
abbio90
Member
Member
Topic Author
Posts: 437
Joined: Fri Aug 27, 2021 9:16 pm
Location: Oristano
Contact:

Re: Force DNS request

Wed Nov 13, 2024 12:11 am

I think the problem is DOH, if I do a torch I see requests towards 8.8.8.8:443. so AdGuard is skipped. How do I manage these requests to process everything from AdGuard?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12857
Joined: Thu Mar 03, 2016 10:23 pm

Re: Force DNS request

Wed Nov 13, 2024 6:53 am

I think the problem is DOH, if I do a torch I see requests towards 8.8.8.8:443. so AdGuard is skipped. How do I manage these requests to process everything from AdGuard?

You don't manage DoH requests, you live with it.
 
User avatar
abbio90
Member
Member
Topic Author
Posts: 437
Joined: Fri Aug 27, 2021 9:16 pm
Location: Oristano
Contact:

Re: Force DNS request

Wed Nov 13, 2024 9:42 am

 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12857
Joined: Thu Mar 03, 2016 10:23 pm

Re: Force DNS request

Wed Nov 13, 2024 12:11 pm


Yes, this would help ... but you'd have to constantly update the list of DoH servers ... so it's a moving target.
 
User avatar
abbio90
Member
Member
Topic Author
Posts: 437
Joined: Fri Aug 27, 2021 9:16 pm
Location: Oristano
Contact:

Re: Force DNS request  [SOLVED]

Thu Nov 14, 2024 12:10 am

I solved implementing a DoH list and a list update script

Who is online

Users browsing this forum: No registered users and 51 guests