Community discussions

MikroTik App
 
User avatar
danunjaya123
Member Candidate
Member Candidate
Topic Author
Posts: 101
Joined: Thu Oct 03, 2019 7:36 am
Location: India

Need Solution for DNS redirection

Thu Sep 29, 2022 8:17 am

Hello Everyone,

My customer is using global DNS i.e 8.8.8.8, 1.1.1.1 and we have our own DNS with our end, Here the issue is comes to Akamai traffic because they will serve CDN traffic using ISP DNS based only. Which NAT rule or any other option will help for this solution.

Customer is using static Global DNS in PC/Home Router.
We are giving ISP DNS at Mikrotik.

I have tried with NAT rule Like below, Let me know this rule is correct or not.

add action=dst-nat chain=dstnat dst-address=8.8.8.8 random=50 to-addresses=119.119.119.119
add action=dst-nat chain=dstnat dst-address=8.8.4.4 random=50 to-addresses=119.119.119.119
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Need Solution for DNS redirection

Thu Sep 29, 2022 8:25 am

Your network administrator took some time off?
search.php?keywords=dns+redirect
[...]Here the issue is comes to Akamai traffic because they will serve CDN traffic using ISP DNS based only.[...]
Never heard of such a thing.
Your clients better use some encryted dns solutions so you can keep your hands off their requests.
 
ivicask
Member
Member
Posts: 422
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Need Solution for DNS redirection

Thu Sep 29, 2022 10:02 am

Hello Everyone,

My customer is using global DNS i.e 8.8.8.8, 1.1.1.1 and we have our own DNS with our end, Here the issue is comes to Akamai traffic because they will serve CDN traffic using ISP DNS based only. Which NAT rule or any other option will help for this solution.

Customer is using static Global DNS in PC/Home Router.
We are giving ISP DNS at Mikrotik.

I have tried with NAT rule Like below, Let me know this rule is correct or not.

add action=dst-nat chain=dstnat dst-address=8.8.8.8 random=50 to-addresses=119.119.119.119
add action=dst-nat chain=dstnat dst-address=8.8.4.4 random=50 to-addresses=119.119.119.119
Make sure to add local bridge interface as input or for example in-interface-list=!WAN or with this rule you will also expose DNS to internet.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need Solution for DNS redirection

Thu Sep 29, 2022 1:52 pm

I don't think you want to process only half of packets, i.e. random=50 is nonsense.
 
kryztoval
newbie
Posts: 27
Joined: Tue Sep 07, 2021 10:46 pm

Re: Need Solution for DNS redirection

Fri Nov 11, 2022 2:34 pm

I was having issues with catching (and blocking) any device that tried to access manual set dns queries in my network. A home network, but I do not want devices to be going out the wrong path if they are inside my network.

So I did 2 things, that may be a bit excessive for some people, but anyways... here is the thing, my main router is at 192.168.1.1, my dns is at 192.168.1.10

First I identify any attempt to contact a dns port (53) and I tag it
/ip firewall mangle add action=mark-connection chain=prerouting comment="trap dns queries" connection-mark=no-mark dst-address=!192.168.1.10 dst-port=53 in-interface-list=lans new-connection-mark=dns-route passthrough=yes protocol=udp src-address=!192.168.1.10
/ip firewall mangle add action=mark-connection chain=prerouting comment="trap dns queries" connection-mark=no-mark dst-address=!192.168.1.10 dst-port=53 in-interface-list=lans new-connection-mark=dns-route passthrough=yes protocol=tcp src-address=!192.168.1.10
Then I make sure I redirect this requests to the pihole address and srcnat/dstnat it accordingly.
/ip firewall nat add action=masquerade chain=srcnat comment="SNAT to PI-Hole" connection-mark=dns-route to-addresses=192.168.1.10
/ip firewall nat add action=dst-nat chain=dstnat comment="DNAT to PI-Hole" connection-mark=dns-route to-addresses=192.168.1.10
Some people have said that just masquerading is enough, but in my experience it didn't cut it. And you can see in the firewall connections tab that any query to any dns in the ports you defined will be redirected to your dns and it will be properly formatted when the reply returns.

And because I have a trio of ISPs I split the dns queries onto all the connected ISPs. This increases reliability but it is certainly not required and I just put it here as an example. Note: The lans is a list of al interfaces that are in the local network, and WAN#_conn is a routing rule that makes any packet marked to go thru the interface if it is up and running otherwise it goes thru main routing table.
/ip firewall mangle add action=mark-connection chain=prerouting comment="Nth DNS to WAN1 out of 3" connection-mark=no-mark dst-address-type=!local dst-port=53 in-interface-list=lans new-connection-mark=WAN1_conn nth=3,1 passthrough=yes protocol=udp
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Need Solution for DNS redirection

Fri Nov 11, 2022 3:45 pm

Some people have said that just masquerading is enough
instead others tell you why masquerading? It's useless.
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: Need Solution for DNS redirection

Fri Nov 11, 2022 8:27 pm

As for DNS redirection, you mean that masquerade is useless with his setup only or by itself every time? Meaning that you don't need it to redirect dns requests and make them work properly?
Thanks
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need Solution for DNS redirection

Fri Nov 11, 2022 9:29 pm

It's hairpin NAT. Masquerade is not needed if you're redirecting queries from clients in one subnet to server in another. If they are in same subnet, it won't work without it.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Need Solution for DNS redirection

Sat Nov 12, 2022 1:35 am

Why not?
Router redirect all not from/to .10 to himself and use .10 as own DNS...
Or I do not understand correctly the reply.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need Solution for DNS redirection

Sat Nov 12, 2022 3:30 am

Router (.1) is redirecting DNS queries to another resolver (.10), not to itself. It doesn't touch direct connections to .10 (from other LANs, if there are any) and connections from .10 (resolver's queries to internet).

So query from e.g. .20 to 8.8.8.8 will go to .10 and without srcnat/masquerade there would be response directly from .10 to .20. Wouldn't work, .20 expects response from 8.8.8.8.

If router would redirect queries to itself (its DNS resolver) and it would then query .10, then you'd be right, no srcnat would be needed for that.
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: Need Solution for DNS redirection

Sat Nov 12, 2022 10:35 am

It's hairpin NAT. Masquerade is not needed if you're redirecting queries from clients in one subnet to server in another. If they are in same subnet, it won't work without it.
Exactly. I knew that it works that way. You explained it to me in details once. So, I thought that I was missing something here. Thanks
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Need Solution for DNS redirection

Sat Nov 12, 2022 11:27 am

Whether or not it's useful to intercept DNS, or the way for circumvent that, is off topic,
the best solution for me, if the DNS is not the RouterBOARD, but another device on the local network, is:

The RouterBOARD provides DNS servers to local devices via DHCP.
Local devices can reach DNS through the RouterBOARD, and not from another "internal switch".
Devices that have fixed IPs also have the right internal DNS.
The internal DNS server can know the IP of the internal devices because the RouterBOARD routes the traffic and not NATting the traffic.
The RouterBOARD eliminates any DNS request that tries to leave the internal network, in this way smartphones that have integrated for example "8.8.8.8",
are forced to use the DNS provided for the DHCP server.
If for some reason the DNS cannot be changed on a device, or in the meantime the migration to the new configuration is taking place,
the DNS request not addressed to the correct DNS server can be, redirected by NAT on RouterBOARD to the correct DNS.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need Solution for DNS redirection

Sat Nov 12, 2022 3:19 pm

And this here handles the last part, when some device tries to use something other than correct .10.

Who is online

Users browsing this forum: jfox, menyarito, tesme33 and 33 guests