Community discussions

MikroTik App
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

split DNS setup problem

Sun May 29, 2022 11:15 am

I have a site-to-site connection between two routers over wireguard.

Site A: router.lacinet address 192.168.14.254/24
Site B: router.kavicsnet address 192.168.18.254/24

Split-DNS is not working. Example:
[gandalf@router.lacinet] > /ping 192.168.18.254
  SEQ HOST                                     SIZE TTL TIME       STATUS
    0 192.168.18.254                             56  64 39ms412us
    1 192.168.18.254                             56  64 41ms493us
    2 192.168.18.254                             56  64 38ms510us
    sent=3 received=3 packet-loss=0% min-rtt=38ms510us avg-rtt=39ms805us max-rtt=41ms493us

[gandalf@router.lacinet] > /ping borika-pc.kavicsnet
invalid value for argument address:
    invalid value of mac-address, mac address required
    invalid value for argument ipv6-address
    while resolving ip-address: name does not exist
[gandalf@router.lacinet] > :put [/resolve borika-pc.kavicsnet]
failure: dns name does not exist
[gandalf@router.lacinet] > :put [/resolve borika-pc.kavicsnet server=192.168.18.254]
192.168.18.199
[gandalf@router.lacinet] >
So router.lacinet can see router.kavicsnet. DNS works when I specify the server directly. But it does not work when I do not specify the server.

Here is my split DNS setup:
[gandalf@router.lacinet] > /ip/dns/static/
[gandalf@router.lacinet] /ip/dns/static> print detail where type=FWD
Flags: D - dynamic; X - disabled
 0    regexp=".*\.visznet" type=FWD forward-to=192.168.5.254 ttl=1d

 1    ;;; visznet
      regexp=".*\.5\.168\.192.\in-addr\.arpa" type=FWD forward-to=192.168.5.254 ttl=1d

 2    regexp=".*\.kavicsnet" type=FWD forward-to=192.168.18.254 ttl=1d

 3    ;;; kavicsbanya-base
      regexp=".*\.18\.168\.192.\in-addr\.arpa" type=FWD forward-to=192.168.18.254 ttl=1d

It is even more disturbing that it works with other site-to-site networks. Example:
[gandalf@router.lacinet] /ip/dns/static> :put [/resolve sanyi-pc.visznet]
192.168.5.104
But with this particular network, it does not want to work. Since the direct request to the remote DNS server works, I think we can rule out any firewall or connection problem.

What is happening here?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11440
Joined: Thu Mar 03, 2016 10:23 pm

Re: split DNS setup problem

Sun May 29, 2022 2:33 pm

IMO the problem is that MT's DNS server doesn't perform recursive lookups. In your case it would have to because of FWD record. Any other DNS client seeing this record would know to contact next hop DNS server, but MT doesn't.

In short, DNS server in ROS is very limited in functionality and if trivial functions are not enough, you should install proper DNS server (e.g. pihole running on a raspberry pi) in your network.
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: split DNS setup problem

Sun May 29, 2022 5:01 pm

If that is true, then why it is working for the other network (and other FWD record)?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11440
Joined: Thu Mar 03, 2016 10:23 pm

Re: split DNS setup problem

Sun May 29, 2022 5:22 pm

Error message mentioning MAC address makes me think problem might actually involve routing config ... an obscure one for sure. But without knowing all the config (pissibly of both routers) and exact network layout it's a guessing game.
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: split DNS setup problem

Sun May 29, 2022 6:28 pm

It cannot be a routing problem, because a direct DNS request succeeds. It also precludes any firewall config error.
[gandalf@router.lacinet] > :put [/resolve borika-pc.kavicsnet server=192.168.18.254]
192.168.18.199
[gandalf@router.lacinet] > :put [/resolve borika-pc.kavicsnet]
failure: dns name does not exist
There are many similar sites connected, and only this one is not working as it should
[gandalf@router.lacinet] /ip/dns/static> /ip/dns/static/print detail where type=FWD
Flags: D - dynamic; X - disabled
 4    regexp=".*\.visznet" type=FWD forward-to=192.168.5.254 ttl=1d

 5    ;;; visznet
      regexp=".*\.5\.168\.192.\in-addr\.arpa" type=FWD forward-to=192.168.5.254 ttl=1d

 6    regexp=".*\.kavicsnet" type=FWD forward-to=192.168.18.254 ttl=1d

 7    ;;; kavicsbanya-base
      regexp=".*\.18\.168\.192.\in-addr\.arpa" type=FWD forward-to=192.168.18.254 ttl=1d

 8    regexp=".*\.sznet" type=FWD forward-to=192.168.13.254 ttl=1d

 9    ;;; sznet-base
      regexp=".*\.13\.168\.192.\in-addr\.arpa" type=FWD forward-to=192.168.13.254 ttl=1d

10    regexp=".*\.eger.magnet" type=FWD forward-to=192.168.19.254 ttl=1d

11    ;;; base-eger.magnet
      regexp=".*\.19\.168\.192.\in-addr\.arpa" type=FWD forward-to=192.168.19.254 ttl=1d

12    ;;; vlan-eger.magnet
      regexp=".*\.19\.10.\in-addr\.arpa" type=FWD forward-to=192.168.19.254 ttl=1d

40    regexp=".*\.miskolc.magnet" type=FWD forward-to=192.168.20.254 ttl=1d

41    ;;; base-miskolc.magnet
      regexp=".*\.20\.168\.192.\in-addr\.arpa" type=FWD forward-to=192.168.20.254 ttl=1d

42    ;;; vlan-miskolc.magnet
      regexp=".*\.20\.10.\in-addr\.arpa" type=FWD forward-to=192.168.20.254 ttl=1d
I can send the whole config but it is quite long.
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: split DNS setup problem

Sun May 29, 2022 6:30 pm

The MAC address message comes from ping, and not resolve.
[gandalf@router.lacinet] /ip/dns/static> /ping borika-pc.kavicsnet
invalid value for argument address:
    invalid value of mac-address, mac address required
    invalid value for argument ipv6-address
    while resolving ip-address: name does not exist
[gandalf@router.lacinet] /ip/dns/static> :put [/resolve borika-pc.kavicsnet]
failure: dns name does not exist
[gandalf@router.lacinet] /ip/dns/static>
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11440
Joined: Thu Mar 03, 2016 10:23 pm

Re: split DNS setup problem

Sun May 29, 2022 7:00 pm

Does resolving of borika-pc.kavicsnet work for clients, connected to problematic router's LAN segment? With router set as DNS server? If yes, what does wireshark trace show, who does recursive queries, client or ROS DNS server?
Is it possible that local router received negative answer from forwarding server for this particular host name and is using cached negative answer which didn't expire yet (could be it's using forwarder record TTL for that).
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: split DNS setup problem

Sun May 29, 2022 7:24 pm

Try if this gives you some useful info:
/system logging add topics=dns
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: split DNS setup problem

Mon May 30, 2022 9:38 am

Does resolving of borika-pc.kavicsnet work for clients, connected to problematic router's LAN segment? With router set as DNS server? If yes, what does wireshark trace show, who does recursive queries, client or ROS DNS server?
It does not work. Example:
╭─gandalf@laci-desktop nkp-dbeger-laci ~  
╰─$ host borika-pc.kavicsnet 192.168.14.254                                                                                             1 ↵
Using domain server:
Name: 192.168.14.254
Address: 192.168.14.254#53
Aliases: 

Host borika-pc.kavicsnet not found: 3(NXDOMAIN)
╭─gandalf@laci-desktop nkp-dbeger-laci ~  
╰─$ host borika-pc.kavicsnet 192.168.18.254                                                                                             1 ↵
Using domain server:
Name: 192.168.18.254
Address: 192.168.18.254#53
Aliases: 

borika-pc.kavicsnet has address 192.168.18.199
Is it possible that local router received negative answer from forwarding server for this particular host name and is using cached negative answer which didn't expire yet (could be it's using forwarder record TTL for that).
I think it is not possible, because the 192.168.18.254 router has borika-pc.kavicsnet added as a static DNS entry. Just to make sure, I have changed the ttl of all FWD records to 1 minute, but it has no effect.
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: split DNS setup problem

Mon May 30, 2022 9:44 am

Try if this gives you some useful info:
/system logging add topics=dns
Looks like it does not even try to forward the question:
08:38:59 dns,packet question: borika-pc.kavicsnet.:A:IN 
08:38:59 dns query from 10.14.10.105: #51485 borika-pc.kavicsnet. A 
08:38:59 dns done query: #51485 dns name does not exist 
08:38:59 dns,packet --- sending reply to 10.14.10.105:47309: 
08:38:59 dns,packet id:103b rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'name error' 
08:38:59 dns,packet question: borika-pc.kavicsnet.:A:IN 
08:39:00 dns,packet --- got query from 192.168.14.100:1742: 
08:39:00 dns,packet id:f76e rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error' 
08:39:00 dns,packet question: borika-pc.kavicsnet.:A:IN 
08:39:00 dns query from 192.168.14.100: #51486 borika-pc.kavicsnet. A 
08:39:00 dns done query: #51486 dns name does not exist 
08:39:00 dns,packet --- sending reply to 192.168.14.100:1742: 
08:39:00 dns,packet id:f76e rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'name error' 
08:39:00 dns,packet question: borika-pc.kavicsnet.:A:IN 
Whereas query for another network is forwarded to the forwarder:
08:41:22 dns,packet question: dbserver.visznet.:MX:IN 
08:41:22 dns query from 192.168.14.100: #51646 dbserver.visznet. MX 
08:41:22 dns,packet --- sending udp query to 192.168.5.254:53: 
08:41:22 dns,packet id:b807 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error' 
08:41:22 dns,packet question: dbserver.visznet.:MX:IN 
08:41:23 dns,packet --- got answer from 192.168.5.254:53: 
08:41:23 dns,packet id:b807 rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'no error' 
08:41:23 dns,packet question: dbserver.visznet.:MX:IN 
08:41:23 dns done query: #51646 dns name exists, but no appropriate record 
08:41:23 dns,packet --- sending reply to 192.168.14.100:4263: 
08:41:23 dns,packet id:28ca rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'no error' 
08:41:23 dns,packet question: dbserver.visznet.:MX:IN 
 
tamagochi
just joined
Posts: 13
Joined: Tue Sep 18, 2018 4:38 pm

Re: split DNS setup problem

Mon May 30, 2022 10:51 am

I think when I switched from ros6 to ros7, the forward DNS didn't work for me.
Try edit FWD regex appeding "\.?$" for matching ending dot in the query, looks like
regexp=".*\.visznet\.?$" type=FWD forward-to=192.168.5.254 ttl=1d
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: split DNS setup problem

Mon May 30, 2022 2:06 pm

I get "dns name does not exist" logged when there's already cached negative answer. So it could be that there was query for that before you added FWD record, that got cached, and you need to either wait until it times out of flush cache.
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: split DNS setup problem

Tue May 31, 2022 4:25 pm

I get "dns name does not exist" logged when there's already cached negative answer. So it could be that there was query for that before you added FWD record, that got cached, and you need to either wait until it times out of flush cache.
It is possible. One and a half days passed, and right now it is working:
╭─gandalf@laci-vivobook-linux.lacinet okt-dbrep-laci ~  
╰─$ host borika-pc.kavicsnet
borika-pc.kavicsnet has address 192.168.18.199
╭─gandalf@laci-vivobook-linux.lacinet okt-dbrep-laci ~  
╰─$ host borika-pc.kavicsnet.
borika-pc.kavicsnet has address 192.168.18.199
╭─gandalf@laci-vivobook-linux.lacinet okt-dbrep-laci ~  
╰─$ 
For me, it seems to be working with or without an ending dot. This was always that way, even though the regexp does not match names with an ending dot:
add forward-to=192.168.5.254 regexp=".*\\.visznet" ttl=1m type=FWD
If that was the real problem, then there is a conclusion for me - I'll never leave the default ttl for FWD records, because it makes DNS fragile. An intermittent connection error to the forwarder might make a whole subdomain unavailable. It is not probable, but it is possible and can cause lots of problems.

Thank you!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11440
Joined: Thu Mar 03, 2016 10:23 pm

Re: split DNS setup problem

Tue May 31, 2022 5:50 pm

If you're using your DNS system only for a few (tens?) devices, then amount of DNS requests won't be huge and you can safely use TTLs with length in order of a few minutes. Number of DNS queries still won't DDoS your DNS servers.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: split DNS setup problem

Tue May 31, 2022 6:53 pm

AFAIK the ending dot is local thing, it doesn't go into DNS packets. If you want to make sure that regexp matches only TLD and not something in the middle of hostname, end it with $.

And I don't think that FWD record's TTL should affect anything. It's not real record, only instruction for resolver what server to use. It has TTL probably only because they added it as fake record and all other real records have TTL.
 
tamagochi
just joined
Posts: 13
Joined: Tue Sep 18, 2018 4:38 pm

Re: split DNS setup problem

Tue May 31, 2022 9:51 pm

AFAIK the ending dot is local thing, it doesn't go into DNS packets. If you want to make sure that regexp matches only TLD and not something in the middle of hostname, end it with $.

And I don't think that FWD record's TTL should affect anything. It's not real record, only instruction for resolver what server to use. It has TTL probably only because they added it as fake record and all other real records have TTL.
Thanks for Nagyizs and Sob resolving my error in trailing dot problem.

The FWD record TTL is equal the successfully resolved DNS cached name TTL and begin counting down.
You can overwrite this with Cache Max TTL when the value lower than FWD record TTL.
DNS resolve request not forwarded until name record is cached, servicing is performed from the cache until the record expires.
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: split DNS setup problem

Wed Jun 01, 2022 8:38 am

AFAIK the ending dot is local thing, it doesn't go into DNS packets. If you want to make sure that regexp matches only TLD and not something in the middle of hostname, end it with $.

And I don't think that FWD record's TTL should affect anything. It's not real record, only instruction for resolver what server to use. It has TTL probably only because they added it as fake record and all other real records have TTL.
I thought the same. However, the problems went away only after setting ttl=1m on the FWD records, and then waiting one day. I suspect that when a forwarder fails, then the failure is cached with the ttl of the forwarder. E.g. if the FWD record has ttl=1d and the forwarder is not available at the moment, then the NXDOMAIN is cached for a whole day. It is not documented anywhere (or at least I could not find it), but it seems to be working that way.
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: split DNS setup problem

Wed Jun 01, 2022 8:42 am

The FWD record TTL is equal the successfully resolved DNS cached name TTL and begin counting down.
If the forwarder resolves the name, then it returns the address and its own TTL. E.g. it should not be equal to the TTL of the FWD record, because it has its own TTL. If the forwarder is not available, then NXDOMAIN is cached, and its TTL will be equal to the ttl of the FWD record. This is my experience - I cannot check this, because NXDOMAIN cache entries are not listed under /ip/dns/cache. Can somebody please confirm this?
 
tamagochi
just joined
Posts: 13
Joined: Tue Sep 18, 2018 4:38 pm

Re: split DNS setup problem

Wed Jun 01, 2022 8:31 pm

If the forwarder resolves the name, then it returns the address and its own TTL. E.g. it should not be equal to the TTL of the FWD record, because it has its own TTL.
My domain is forwarded to a bind9 nameserver.
$TTL 86400
@       IN SOA  ns0 hostmaster (
        202201269  ; serial
        604800     ; refresh (1 week)
        86400      ; retry (1 day)
        2419200    ; expire (4 weeks)
        300        ; minimum - Negative Cache TTL (5min)
        )
Its correct, not the FWD TTL but also response TTL will be equal the cached value. I think the mikrotik DNS server sends the response along with the name record TTL.

When i stopped the bind9 and resolve a domain name in terminal, get the error message:
failure: dns server failure
and mikrotik dns cache not changed.
When dns is working (bind9 is runnig) and probe resolve an FQDN which is not exist in domain, bind9 send NXDOMAIN and negative cache TTL i.e. 5 minutes.
This is cached by mikrotik dns cache.
To list NXDOMAIN type entries try in terminal:
/ip/dns/cache/all print where negative
Sometimes help is one:
/ip/dns/cache/ flush
Sob written:
And I don't think that FWD record's TTL should affect anything. It's not real record, only instruction for resolver what server to use. It has TTL probably only because they added it as fake record and all other real records have TTL.
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: split DNS setup problem

Thu Jun 02, 2022 11:16 am

Today it went wrong again, but with a different hostname.

I followed your advice and I found the host in the negative cache:
[gandalf@router.lacinet] /ip/dns> /ip/dns/cache/all print where negative
Flags: N - NEGATIVE
Columns: NAME, TTL
#   NAME                        TTL
0 N _LDAP._TCP                  8h8m17s
1 N channel.status.request.url  10h44m51s
2 N local                       11h39m53s
3 N mw40.home                   21h33m30s
4 N stun.ideasip.com            11m8s
5 N PENZTAR-PC.VISZNET          23h16m39s
6 N wpad.lacinet                23h59m11s
7 N stands-app.lacinet          23h59m11s
The problematic one is penztar-pc.visznet.

I don't understand, why it is having 23h16m ttl? That record has ttl=1m on the authoritative server:
[gandalf@viszfuvar.visznet] /ip/dns/static> print detail where name~"penztar.*"
Flags: D - dynamic; X - disabled
23    ;;; #DHCP
      name="penztar-pc.visznet." address=192.168.5.176 ttl=1m
And the FWD record also has 1m ttl:

[gandalf@router.lacinet] /ip/dns/static> print detail where regexp~".visznet"
Flags: D - dynamic; X - disabled
 4    regexp=".*\.visznet" type=FWD forward-to=192.168.5.254 ttl=1m
Where is this 23h coming from??? (I guess its initial value was 1d, because I first experienced the problem about an hour ago.)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11440
Joined: Thu Mar 03, 2016 10:23 pm

Re: split DNS setup problem

Thu Jun 02, 2022 11:32 am

The problem seems to be old: viewtopic.php?t=36017

So what is setting of cache-max-ttl on your router (it's in /ip dhcp section)? You may want to set it to some short interval, but beware it also affects TTL of positive replies which may have longer TTL set by their authoritative DNS servers.
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: split DNS setup problem

Thu Jun 02, 2022 5:29 pm

The problem seems to be old: viewtopic.php?t=36017

So what is setting of cache-max-ttl on your router (it's in /ip dhcp section)? You may want to set it to some short interval, but beware it also affects TTL of positive replies which may have longer TTL set by their authoritative DNS servers.
This is very interesting. The cache-max-ttl option has a value of 1w on my router. It is not clear, how it is related to the one day negative cache time? Probably there is no correlation.
The official documentation at https://wiki.mikrotik.com/wiki/Manual:IP/DNS says this about /ip/dns cache-max-ttl

> Maximum time-to-live for cache records. In other words, cache records will expire unconditionally after cache-max-ttl time. Shorter TTL received from DNS servers are respected.

It seems to be (almost) unrelated to my problem.
I just did a quick experiment: I setup a non-existent domain with an unreachable DNS server as a forwarder, and tested the TTL of the negative cache.
[gandalf@router.lacinet] /ip/dns/static
[gandalf@router.lacinet] /ip/dns/static> add  forward-to=123.123.123.123 regexp=".*\\.testnet"  ttl=1m type=FWD
[gandalf@router.lacinet] /ip/dns/static> :put [/resolve test.testnet]
failure: dns server failure
[gandalf@router.lacinet] /ip/dns/static> /ip/dns/cache/
[gandalf@router.lacinet] /ip/dns/cache> print detail where name=test.testnet
Flags: S - static 
[gandalf@router.lacinet]
Okay, so if the forwarder is not available, then routeros does not add a negative cache record.

That problematic name "penztar-pc.visznet" was added to /ip/static/dns on the remote site via dhcp. It is true, that its ttl was 1m. But possibly I sent a query to that router BEFORE that name was registered by the dhcp server on the remote side. The remote routeros DNS server might have replied with NXDOMAIN and ttl=1d. And this could have caused the NXDOMAIN negative record to be put into my local router's cache.

I'm not 100% sure that this happened, but it is probable.

Now, here comes the question: how can I change the negative ttl for the DNS server in routeros? I see that there is a cache-max-ttl, but I do not see anything about negative caches.
Last edited by nagylzs on Thu Jun 02, 2022 5:33 pm, edited 2 times in total.
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: split DNS setup problem

Thu Jun 02, 2022 5:32 pm

A workaround could be a script that changes ttl values for negative cache items from >1m to 1m. I can schedule this script, and this will solve the problem (and does not affect any other cache records).

But it would be much better to have a negative-ttl option under /ip/dns
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: split DNS setup problem

Thu Jun 02, 2022 6:12 pm

I advise you to set the MAX TTL in the router not higher than 01:00:00 and when you are serving a lot of systems maybe 00:30:00 or even 00:10:00.
That way you avoid the problems that wrong data is cached for a long time, not only for negative but also for positive results.
You will not be able to notice the performance difference, especially when you use a high-performance upstream resolver like those with 4 times the same digit in the address (and of course your local servers).
 
tamagochi
just joined
Posts: 13
Joined: Tue Sep 18, 2018 4:38 pm

Re: split DNS setup problem

Thu Jun 02, 2022 7:28 pm

It turned out to me that your negatively cached record "PENZTAR-PC.VISZNET" were capitalized all the way through.
I had a problem with the uppercase domain components.
I don't think regexp matches because I didn't see the forwarding of resolve requests coming to the my bind9 DNS server.
Try:
regexp=".*\.(visznet|VISZNET)" type=FWD forward-to=192.168.5.254 ttl=1m
You may also have a failed DNS lookup from Windows to append the DNS suffix for the connection again, like "PENZTAR-PC.VISZNET.visznet".
If working the regular expression, the namerecords and the resolve is successful, it is no longer important.
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: split DNS setup problem

Sun Jun 05, 2022 10:57 am

I advise you to set the MAX TTL in the router not higher than 01:00:00 and when you are serving a lot of systems maybe 00:30:00 or even 00:10:00.
That way you avoid the problems that wrong data is cached for a long time, not only for negative but also for positive results.
You will not be able to notice the performance difference, especially when you use a high-performance upstream resolver like those with 4 times the same digit in the address (and of course your local servers).
I set it to five minutes, but today I faced this problem again. After runing "/ip/dns/cache flush" manually, the problem magically went away. Experience shows that setting it to 5 minutes (or probably even less) won't solve this problem.

These sites are connected with wireguard. Even though I set persistent-keepalive to 25sec, my experience is that the first few packets are dropped (for whatever reason) when I try to communicate through the tunnel after a longer time of inactivity. The first packets are DNS requests in most cases. They go into the negative cache, and then I s**ck again. :-(

I'm running out of ideas. I could run a dns cache flush in every minute from a scheduled script but it would even be better to just disable the cache completely.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: split DNS setup problem

Sun Jun 05, 2022 12:26 pm

I set it to five minutes, but today I faced this problem again.
What problem did you face again? The problem that a negative cache entry was valid for 24h? While you set your max time to 5 minutes?
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: split DNS setup problem

Mon Jun 06, 2022 10:34 pm

I set it to five minutes, but today I faced this problem again.
What problem did you face again? The problem that a negative cache entry was valid for 24h? While you set your max time to 5 minutes?
Yes. When I first tried to resolve borika-pc.kavicsnet then it returned with "not found". Then I went into /ip/dns/cache and tried to `print where negative"` or `print where name~".*kavicsnet"` but nothing was there. But then I ran "/ip/dns/cache/flush" and borika-pc.kavicsnet could be resolved again. In other words, I could not find an entry for the .kavicsnet domain in the cache, but routeros returned "not found" anyway, until I flushed the cache. (The max ttl setting was set to 5 minutes on all routers, days ago.)
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: split DNS setup problem

Wed Jun 08, 2022 3:17 pm

I could also install a rasberry pi with dnsmasq, if nothing else helps. But I would hate to do this: routeros already has a DNS server built in.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: split DNS setup problem

Wed Jun 08, 2022 3:46 pm

In general you need to understand that every DNS server needs to have the same view of the namespace, or else these problems will always occur.
You have some FWD record which should avoid this, but I cannot grasp your entire network config to guarantee that it works OK everywhere.

When a DNS resolver gets a question, e.g. for name.domain, it asks a DNS server and when it gets a "no such name" response, that is where the story ends.
There is no "but I have another DNS server in my config, let's ask it there!" in any resolver.
So when you have DNS servers that have an incomplete picture of the situation, e.g. because you have created you own domain and loaded it some local server, there will be problems.

A good way to avoid such problems is not to invent your own local domain like .visznet but instead register an official domain like .visznet.hu (or whatever TLD) and use that.
It will be known by all outside DNS resolvers and it will always work.
This is the way to the future anyway, because more and more it will become difficult or impossible to force all your client devices to use your own DNS resolver.
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: split DNS setup problem

Thu Jun 09, 2022 8:52 am

A good way to avoid such problems is not to invent your own local domain like .visznet but instead register an official domain like .visznet.hu (or whatever TLD) and use that.
It will be known by all outside DNS resolvers and it will always work.
This is the way to the future anyway, because more and more it will become difficult or impossible to force all your client devices to use your own DNS resolver.
I was considering this option too. For this, I would need to write a script that registers DHCP clients with an external DNS server (I don't know the names of all computers that will be connected.) There are some drawbacks. First, if the internet connection is down for a site, then they won't be able to do things like printing a document or accessing files on a local samba share, because there will be no DNS. The second problem might be that anyone else will be able to get addresses of internal computers with a dictionary attack.

But I think you are right. I'll put them under a proper domain, because it has far more advantages. I just have to be very careful about setting lease times (or even fixed addresses) for local services, and let them use their local services when the internet connection is down.

Thank you!
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: split DNS setup problem

Thu Jun 09, 2022 9:10 am

There are some drawbacks. First, if the internet connection is down for a site, then they won't be able to do things like printing a document or accessing files on a local samba share, because there will be no DNS.
None of those things require functional DNS, unless you like to overcomplicate things for no reason.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: split DNS setup problem

Thu Jun 09, 2022 10:53 am

I was considering this option too. For this, I would need to write a script that registers DHCP clients with an external DNS server (I don't know the names of all computers that will be connected.) There are some drawbacks. First, if the internet connection is down for a site, then they won't be able to do things like printing a document or accessing files on a local samba share, because there will be no DNS. The second problem might be that anyone else will be able to get addresses of internal computers with a dictionary attack.
Well, it does not have to be that bad.
First, you can make a subdomain of your toplevel domain for your DHCP clients. Something like pc.visznet.hu. In the toplevel domain you put NS records with your local server addresses, where you update the DNS from DHCP. That means the *.pc.visznet.hu names will not be resolvable for people on the internet.
You can also setup a local secondary DNS server that does zone transfer of your internet domain to your local DNS server, so you have access to it when internet is down.

DNS service can be split in many interesting ways, but when you want a system that does not break randomly or will become unusable in the future, you really need to make sure the names are available everywhere.
(I know it, I setup a similar domain back in 1999 in our company and I have had to use several tricks to gradually get rid of it and go to an officially registered domain, because of the many places where .ourdomain was used in configuration, intranet URLs, etc etc. the sooner you start the better!)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11440
Joined: Thu Mar 03, 2016 10:23 pm

Re: split DNS setup problem

Thu Jun 09, 2022 2:59 pm

So essentially we're down to the second paragraph of my post #2 above ...

(it seems I was wrong in paragraph #1 ... because I take paragraph #2 seriously :wink:)
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: split DNS setup problem

Thu Jun 09, 2022 4:26 pm

I agree with you that the DNS resolver in RouterOS is a piece of junk and its use should be avoided as much as possible.
But then again even a good DNS resolver/server cannot cope with the situation that a domain is known to one next-level server and unknown to another.
Even when you set multiple DNS servers, there is no "priority" in that, they are just used round-robin. And that is what it should be. So having inside and outside DNS servers that return different statuses is always going to cause problems.

We can only hope for the quick return of the containers feature in v7 so you can install a decent DNS resolver/server in a container, when you need one.
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: split DNS setup problem

Thu Jun 09, 2022 4:27 pm

There are some drawbacks. First, if the internet connection is down for a site, then they won't be able to do things like printing a document or accessing files on a local samba share, because there will be no DNS.
None of those things require functional DNS, unless you like to overcomplicate things for no reason.
Samba share volumes are mounted ("mapped") with their UNC paths. The host name is part of that UNC path, and it should be resolved with a DNS service. There is a backup server that should be promoted when the primary fails. There are other similar services on some of my installation sites that require valid DNS names, because they have failovers. I implemented these using DNS records, maybe that was a bad approach. But it is out of scope in this topic.
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: split DNS setup problem

Thu Jun 09, 2022 4:28 pm

I agree with you that the DNS resolver in RouterOS is a piece of junk and its use should be avoided as much as possible.
But then again even a good DNS resolver/server cannot cope with the situation that a domain is known to one next-level server and unknown to another.
Even when you set multiple DNS servers, there is no "priority" in that, they are just used round-robin. And that is what it should be. So having inside and outside DNS servers that return different statuses is always going to cause problems.

We can only hope for the quick return of the containers feature in v7 so you can install a decent DNS resolver/server in a container, when you need one.
Yes, you are right. I'm going to buy and install a dedicated pihole server on these bigger sites, and also convert all names into official FQDNs. :-)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: split DNS setup problem

Thu Jun 09, 2022 5:36 pm

But some *.internal.<myrealdomain> still doesn't solve everything, does it? If there's delegation of internal subdomain from <myrealdomain> public nameservers, and it points to some internal nameservers, then I still have to force all internal clients to use internal resolvers that know to ask internal nameservers. But forcing clients to use my resolvers can be problematic (DoH, ...). I could, assuming that I don't see internal addresses being known publicly as problem, simply keep <anything>.internal.<myrealdomain> on public nameservers. Except some resolvers will filter private IP addresses, so internal hostnames won't be resolvable by them.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: split DNS setup problem

Thu Jun 09, 2022 5:43 pm

Yes, but when a server is not reachable because it is not routed from the network, the resolver will try the next one and accept its answer.
When it can reach a server that doesn't know about the domain, the negative answer is immediately passed back (and cached) without trying other servers.
That is the main difference.
Of course with the MikroTik resolver you still cannot have DNS servers over DoH and on directly reachable networks (for FWD) at the same time, but that is only because it is such a pile of sh*t. A reasonably designed resolver could to that without problem.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: split DNS setup problem

Thu Jun 09, 2022 6:05 pm

Right, not "poisoning" the cache with NXDOMAIN is an improvement. Still, I was hoping that I just missed something that would give me some completely flawless solution. Can't have everything, I guess.

And MikroTik's resolver, I don't undestand it. They started with improvements, but made some weird choices, and then just stopped. But this thing is weird, I didn't find a way how to reproduce it, if there's FWD record, it asks that server and doesn't try elsewhere.
 
tamagochi
just joined
Posts: 13
Joined: Tue Sep 18, 2018 4:38 pm

Re: split DNS setup problem

Thu Jun 09, 2022 11:10 pm

I'm running out of ideas. I could run a dns cache flush in every minute from a scheduled script but it would even be better to just disable the cache completely.
The cache cannot be turned off, static entries are made in the cache itself.
The time of negative cache TTL comes from the SOA record, microtics hasn't got SOA record.
Then I went into /ip/dns/cache ....
Just a typo? You need /ip/dns/cache/all because the negative cached TTL entries are not listed.

I have an idea...
From the "dhcptodns" script, do not delete the DNS record, when the resolved name is not available, only set the record TTL to zero, so it does not send NXDOMAIN status flag, but sends an error which is not cached on the resolver side.
I don't know if it helps: i took the max udp packet size down to 1232 from 4096. You are connected through the wireguard, it can help because tunnel packetsize is smaller.
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: split DNS setup problem

Sun Aug 28, 2022 9:51 am

Just a quick update on the topic. I have replaced my script with a version that registers the name into an authoritative DNS, and also the local cache, with ttl=1min. I have also changed it so when the lease times out, then the registration is not changed at all.

This way:

* When there is no internet connection, the names can still be resolved using the local cache. So for example, if the internet connection is down and a samba server is rebooted, then the FQDN of the server cannot be registered into the authoritative DNS server, but it will be registered in the local cache. As a result, local clients will be able to access it with its FQDN.
* When there is internet connection, then everything is honky dory, the FQDN can be used from any network, across different VPNs etc. and there is no need to use split DNS at all.

I'm not very good at MikroTik scripting, and I'm not very proud of my script. I'm 100% sure that anyone can write a better script, but just in case it might help.

This script below does the heavy work. It extracts the hostname from the DHCP request, converts to lower case, and appends a subdomain and a zone. (My experience is that misconfigured windows clients will send garbage in the domain part, and also they will be sending mixed lower and upper case characters.)

This script has no literal values burned it. It is general, and can be used for any domain or hostname.

       # param: name - "example-hostname.misconfigured.domain.hu" only the example-hostname will be used for registering "example-hostname.office.example.com"
       # param: subdomain - "office" the real subdomain that will be used (e.g. the "office" from office.example.com)
       # param: zone - "example.com" -> name of the zone to be updated (e.g. the "example.com" from "office.example.com")
       # param: ip - 192.168.14.112 -> ip address of the host
       # param: ttl - 60 -> ttl of the host
       # param keyName - "ddns-key.example.com" -> ddns key for the zone
       # param key - "**hmac-md5***==" -> ddns key
       # param ns - "ns1.example.com" -> FQDN of the NS server to send the request to
       :local lowerCaseUntilFirstDot do={
       # param: entry
         :local lower "abcdefghijklmnopqrstuvwxyz";
         :local upper "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
         :local result "";
         :local ignorerest false;
         :for i from=0 to=([:len $entry] - 1) do={
           :local char [:pick $entry $i];
           if ($char=".") do={ :set ignorerest true; };
           if ( ! $ignorerest ) do={
               :local pos [:find $upper $char];
               :if ($pos > -1) do={:set char [:pick $lower $pos]};
               :set result ($result . $char);
           }
         }
         :return $result;
       }
       :local hostname [$lowerCaseUntilFirstDot entry=$name]
       :local subhostname ($hostname .".".$subdomain);
       :local fullhostname ($subhostname .".".$zone);
       :put ("Processing ". $fullhostname. " with ns=".$ns);
       # First, we update the local DNS cache. This makes sure
       # that the host is available with its FQDN even if the internet
       # connection is down.
       /ip/dns/static
       remove [find where name=$fullhostname]
       add name=$fullhostname address=$ip ttl=60 comment=DHCP
       :local dnssrv [/resolve domain-name=$ns];
       :put ("NS server $ns has address $dnssrv");
       # see https://wiki.mikrotik.com/wiki/Manual:Scripting#Catch_run-time_errors
       :local oldIP 0.0.0.0
       :do {
           :set oldIP [/resolve server=$dnssrv domain-name=$fullhostname];
       } on-error={
           :set oldIP 0.0.0.0;
           /log info message= ("updateSubDomain: " . $fullhostname . " is a new host");
       };
       :put "oldIP = $oldIP";
       :put "newIp = $ip";
       :if ($ip != $oldIP) do={
           :local message ("updateSubDomain: changing IP address of $fullhostname from $oldIP to $ip, ttl=".$ttl);
           :put $message;
           /log info message=$message;
           # debug-hoz
           #:local message ("/tool dns-update name=$subhostname address=$ip dns-server=$dnssrv zone=$zone  key-name=$keyName key=$key ttl=$ttl;");
           #:put $message;
           /tool dns-update name=$subhostname address=$ip dns-server=$dnssrv zone=$zone  key-name=$keyName key=$key ttl=$ttl;
       } else={
           :local message ("updateSubDomain: IP address of $fullhostname unchanged ($oldIP)");
           :put $message;
           /log info message=$message;
       }


That script below just pre-fills some parameters. This is just a wrapper that makes it easy to send updates that are tied to "the subdomain that is associated with my router".
       #param name "example-hostname.bad.host.name"
       #param ip 192.168.14.100
       :local cmd [:parse [:system script get updateSubDomain source]]
       $cmd name=$name subdomain="office" zone="example.com" ip=$ip ttl=60 keyName="ddns-key.example.com" key="GFGZacs6329N1GbSdOcnKQ==" ns="ns.example.com"
And finally, the on lease script, it is also general

       :log info "#1"
       # for parameters, see https://help.mikrotik.com/docs/display/ROS/DHCP#DHCP-Leases
       #    and the lease-script property
       :if ( [ :len $leaseActIP ] <= 0 ) do={ :error "empty lease address" }
       :log info "#2 bound=$leaseBound ip=$leaseActIP"
       :if ( $leaseBound = 1 ) do=\
       {
         /ip/dhcp-server/lease
         :local leaseId [ find address=$leaseActIP ]
       :log info "#3 leaseId=$leaseId"
         # Check for multiple active leases for the same IP address. It's weird and it shouldn't be, but just in case.
         :if ( [ :len $leaseId ] != 1) do=\
         {
          :log info "onDhcpLease: not registering domain name for address $leaseActIP because of multiple active leases for $leaseActIP";
          :error "multiple active leases for $leaseActIP";
         }
         #:local hostname [ get $leaseId host-name ]
         :local hostname $"lease-hostname"
       :log info "#4 hostname=$hostname"
         :if ([:len $hostname]=0) do={
          :log info "onDhcpLease: not registering domain name for address $leaseActIP because client did not specify a host name";
         } else {
           :log info "onDhcpLease: registering domain name $hostname for address $leaseActIP";
           :local nsupdate [:parse [:system script get onUpdateMySubDomain source]]
           $nsupdate name=$hostname ip=$leaseActIP
         }
       }

Who is online

Users browsing this forum: CGGXANNX, nescafe2002 and 82 guests