Community discussions

MikroTik App
 
Teraflops
just joined
Topic Author
Posts: 3
Joined: Wed Jul 29, 2020 12:02 pm

Make DNS server to respond to specific IP addresses only and forward rest

Tue Jun 14, 2022 1:52 pm

Greetings,

Is there a way to make inbuilt DNS server to respond just to specific local IP address(es) and forward DNS requests from all other local IP addresses to another server?
I want Mikrotik DNS server to respond just to my two Raspberry Pi devices (because of conditional forwarding) and forward all other requests it receive to one of Raspberry Pi devices.

Thanks in advance for your assistance! Greatly appreciated!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Make DNS server to respond to specific IP addresses only and forward rest

Tue Jun 14, 2022 1:57 pm

is easy: do not use the routerboard IP as DNS server on DHCP server, but put raspberry IP on DNS field under dhcp network,
and put manually the routerboard IP for DNS on wanted raspberry device
 
Teraflops
just joined
Topic Author
Posts: 3
Joined: Wed Jul 29, 2020 12:02 pm

Re: Make DNS server to respond to specific IP addresses only and forward rest

Tue Jun 14, 2022 3:24 pm

DHCP server is already configured to handout Pi Hole as default dns server - so everything is OK with clients config.
But some clients get an domain resolved even if it was already present on blacklist.

As I already noted, I have two Pi devices, both configured as DNS sinkholes (Pi Hole). Only difference is that one of them (primary) has conditional forwarding enabled and set up, so I could use hostnames instead of IP addresses to access devices/hosts present on my network.

Using an app (Ping Tools) to check DNS resolving, I found out that querying for example googlesyndication.com domain returned correct IP on primary Pi Hole DNS server, but got blocked by secondary one. Both Pi devices uses Mikrotik DNS (which is configured to use DoH) as upstream DNS server for their needs (firmware/software updating, etc.).

To put it as shortest as possible: Mikrotik DNS is used by Pi devices only. All other devices are configured (by DHCP server on Mikrotik) to use Pi Holes as DNS servers.

Need a way to filter/drop all DNS requests to Mikrotik, not originating from Pi devices mentioned above... or route/forward it to one of Pi holes.

I believe there should be a way to configure Mikrotik to filter DNS requests.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Make DNS server to respond to specific IP addresses only and forward rest

Tue Jun 14, 2022 3:36 pm

some devices have integrated 8.8.8.8 and 8.8.4.4,
drop all traffic directed to that two IP's and the device use DNS provided from DHCP server
 
kevinds
Long time Member
Long time Member
Posts: 637
Joined: Wed Jan 14, 2015 8:41 am

Re: Make DNS server to respond to specific IP addresses only and forward rest

Thu Jun 16, 2022 2:17 am

DHCP server is already configured to handout Pi Hole as default dns server - so everything is OK with clients config.
But some clients get an domain resolved even if it was already present on blacklist.

To put it as shortest as possible: Mikrotik DNS is used by Pi devices only. All other devices are configured (by DHCP server on Mikrotik) to use Pi Holes as DNS servers.

Need a way to filter/drop all DNS requests to Mikrotik, not originating from Pi devices mentioned above... or route/forward it to one of Pi holes.
I don't believe what you think is happening, is actually happening... Confirm with WireShark..

Unless the hosts have the Mikrotik setup as a DNS server, they won't use it..

It is more likely the hosts are doing their own DNS lookups to a separate server, either programmed in or DoH (DNS over HTTPS).

Firewall port 53 on the Input chain, drop all IPs except the Pi--Hole IP, would do it..

Might be better to turn off Allow-External-Lookup on the Mikrotik, have Pi-Hole do recursive lookups on it's own, or just forward to a public sever. Then you know no client can ask the Mikrotik to do a lookup.

As I already noted, I have two Pi devices, both configured as DNS sinkholes (Pi Hole). Only difference is that one of them (primary) has conditional forwarding enabled and set up, so I could use hostnames instead of IP addresses to access devices/hosts present on my network.

Using an app (Ping Tools) to check DNS resolving, I found out that querying for example googlesyndication.com domain returned correct IP on primary Pi Hole DNS server, but got blocked by secondary one. Both Pi devices uses Mikrotik DNS (which is configured to use DoH) as upstream DNS server for their needs (firmware/software updating, etc.).
Why is the conditional forwarding only setup on one of them? It should be on both.

Someone else please correct me if I am wrong, but.
Mikrotik doesn't add DHCP leases to the DNS entries.. If you want the local domain to resolve, you would be better to use Pi-Hole as the DHCP server.

As for your Ping Tools application test, you reached the wrong conclusion from the results.
 
Teraflops
just joined
Topic Author
Posts: 3
Joined: Wed Jul 29, 2020 12:02 pm

Re: Make DNS server to respond to specific IP addresses only and forward rest

Tue Jun 28, 2022 3:06 pm

I believe I've partly achieved what I intended to do, mainly to make routeros DNS service to serve just two Raspberry Pi 4 devices and reject all other on the LAN side of network.

I created address list, listing these two and added four filter rules (2x2, for TCP and UDP respectively), two rules to drop requests on input chain, destined to routeros IP, port 53, if not originating from IP addresses listed in address list made before, and two rules to drop on forward chain, destined to port 53, if not originating from IP addresses listed in address list mentioned.

Tested it - seems to be working OK. Other devices are not able to communicate with both routeros and public DNS servers through port 53.

Now, my knowledge about Firewall rules is diminutive - would like to "upgrade" this "solution" (instead of dropping traffic to public DNS) to forward all those DNS requests to my internal DNS server.

That would be great. I believe it is achievable and probably a simple thing to do for someone with greater knowledge, so, if anyone willing to share know-how, please do. I would be very grateful.

Who is online

Users browsing this forum: BoraHorza, GoogleOther [Bot], sinisa, tuiespacecorp and 79 guests