Community discussions

MikroTik App
 
chuky0
newbie
Topic Author
Posts: 27
Joined: Thu Apr 20, 2017 7:49 pm

alternate DNS for specific IP on LAN, is it possible?

Thu Nov 15, 2018 9:54 am

Hi,

I've been trying to get my IPTV box to use a DNS other than my LAN's. I tried netmap as shown below but it did not work, maybe because of the redirect above it ? Hoping for an easy solution with firewall. I may have to remove the IPTV box's ethernet port from bridge and give it its own IP etc or go VLAN. I was hoping I there may be another way, thought I'd ask here before I went down either of those roads.

/ip dns
set allow-remote-requests=yes servers="208.67.222.222,208.67.220.220,208.67.22\
2.220,208.67.220.222,::ffff:208.67.222.222,::ffff:208.67.220.220,::ffff:20\
8.67.222.220,::ffff:208.67.220.222"
/ip dns static
add address=192.168.88.1 name=router

/ip firewall mangle
add action=add-dst-to-address-list address-list=MAG322 address-list-timeout=\
none-dynamic chain=prerouting comment=MAG322 log-prefix=MAG322 \
src-address=192.168.88.138 src-address-list=""

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
src-address=192.168.88.0/24
add action=redirect chain=dstnat comment=DNS dst-port=53 protocol=udp \
to-ports=53
add action=netmap chain=dstnat comment="MAG322 alt_dns" \
dst-address=192.168.88.138 dst-port=53 protocol=udp src-address-list=\
MAG322 to-addresses=8.8.8.8 to-ports=53
 
User avatar
macsrwe
Forum Veteran
Forum Veteran
Posts: 987
Joined: Mon Apr 02, 2007 5:43 am
Location: Arizona, USA
Contact:

Re: alternate DNS for specific IP on LAN, is it possible?

Sat Nov 17, 2018 1:14 am

I haven’t personally tried this, but I think the cleanest way to do it is to obtain the MAC address of your IPTV box, assign it a static IP address in /ip dhcp-server lease, and set the DHCP-options field according to the IANA standard (link provided in wiki) to denote a custom DNS server for that device.

When your device picks up its IP address from the DHCP server, the DNS server that comes along with the reservation should be the one it ends up using.


Sent from my iPhone using Tapatalk
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 804
Joined: Fri Nov 10, 2017 8:19 am

Re: alternate DNS for specific IP on LAN, is it possible?  [SOLVED]

Sat Nov 17, 2018 1:24 am

another is possible - instead of DHCP options, you can define it in /ip dhcp-server networks:
/ip dhcp-server network
add address=10.100.1.0/24 dns-server=8.8.8.8 gateway=10.100.1.254 netmask=24
add address=10.100.1.253/32 dns-server=10.100.1.254 gateway=10.100.1.254 netmask=24
as you can see, for whole LAN range, there is google DNS assigned, but for one specific IP (I made the lease static so it always goes to specific device) DHCP server will send different IP (its own) as DNS server.
I tested both methods and both work fine.
Last edited by vecernik87 on Sat Nov 17, 2018 1:36 am, edited 1 time in total.
 
User avatar
macsrwe
Forum Veteran
Forum Veteran
Posts: 987
Joined: Mon Apr 02, 2007 5:43 am
Location: Arizona, USA
Contact:

Re: alternate DNS for specific IP on LAN, is it possible?

Sat Nov 17, 2018 1:31 am

Very cool solution, if it works reliably. The wiki doesn’t even hint that this is a possibility, or that the networks will necessarily be matched in order of specificity. But I will certainly remember it.


Sent from my iPhone using Tapatalk
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 804
Joined: Fri Nov 10, 2017 8:19 am

Re: alternate DNS for specific IP on LAN, is it possible?

Sat Nov 17, 2018 1:46 am

You are right... It is not specified, therefore it is not guaranteed. I guess I figured out some time ago on my own.
I adjusted the answer. It is truly not "easier" solution because it is not clear from the lease, if there will be something special. The DHCP option might be actually better due to this - you will see straight from lease, that there is extra DHCP option
 
chuky0
newbie
Topic Author
Posts: 27
Joined: Thu Apr 20, 2017 7:49 pm

Re: alternate DNS for specific IP on LAN, is it possible?

Sat Nov 17, 2018 2:18 am

This is amazing, I love those solutions, very ingenious. Since I make hard wired connections in my LAN static I went for the solution suggested by vecernik87. I added the info through winbox GUI (below is the export). I rebooted my IPTV box and voila, it is now using the preferred DNS as described by the IPTV provider and not OpenDNS which I prefer for my LAN.

So happy now, because I did try pulling ether3 from the bridge assigning its own IP etc. etc. but got nowhere other than frustration city with that. (I ended up having to restore my config on my RB750GR3)

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.88.138/32 dns-server=8.8.8.8 gateway=192.168.88.1 netmask=24

Thanks again
 
chuky0
newbie
Topic Author
Posts: 27
Joined: Thu Apr 20, 2017 7:49 pm

Re: alternate DNS for specific IP on LAN, is it possible?

Sat Nov 17, 2018 5:50 pm

Although the device now has an alternate DNS from the LAN, it is not working ie. there is blocking on the device from OpenDNS.

I tried the DHCP-option with winbox gui on the static lease for the IPTV box, and it only allows unknown to be selected. Maybe CLI will allow it ? I saw from the IANA link, option 6 would allow me to input DNS server in options for that lease.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 783
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: alternate DNS for specific IP on LAN, is it possible?

Sat Nov 17, 2018 6:28 pm

GUI can do it, but you have to calculate the IP address to hex using e.g. calculator.

First you add a dhcp option (in Options tab), then you can select it in lease.
You do not have the required permissions to view the files attached to this post.
 
chuky0
newbie
Topic Author
Posts: 27
Joined: Thu Apr 20, 2017 7:49 pm

Re: alternate DNS for specific IP on LAN, is it possible?

Sat Nov 17, 2018 7:08 pm

awesome, thanks nescafe2002
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 804
Joined: Fri Nov 10, 2017 8:19 am

Re: alternate DNS for specific IP on LAN, is it possible?

Sun Nov 18, 2018 9:16 am

quick tip: You don't need to calculate hex values. If you follow manual, you will find that IP can be added with apostrophes
This is working example from my tests:
/ip dhcp-server option
add code=6 name=dns-cloudflare value="'1.1.1.1'"
(notice the apostrophes within quotation marks. in GUI, you just type
'1.1.1.1'
)
it is not working ie. there is blocking on the device from OpenDNS.
I tested both methods and my device got DNS IP correctly. I am unsure how to understand your issue - what exactly isn't working (what is being blocked etc). I don't really use openDNS so I may be missing some important knowledge which you are referring to.
wild guess: DNS requests from your TV will be probably NATted so from external-dns-server, it will look absolutely same as if your router does the DNS request.
Maybe that is the issue?
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 783
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: alternate DNS for specific IP on LAN, is it possible?

Sun Nov 18, 2018 11:02 am

Nice! You still have to convert to hex if you want to supply more than one DNS server, I suppose.
 
markz
just joined
Posts: 4
Joined: Mon Aug 17, 2015 1:06 pm

Re: alternate DNS for specific IP on LAN, is it possible?

Sun Nov 18, 2018 7:12 pm

this works for me with two or more dns servers in dhcp options.
/ip dhcp-server option
add code=6 name="Google DNS" value="'8.8.8.8''8.8.4.4'"
add code=6 name=OpenDNS value="'208.67.222.222''208.67.220.220''208.67.222.220''208.67.220.222'"
 
chuky0
newbie
Topic Author
Posts: 27
Joined: Thu Apr 20, 2017 7:49 pm

Re: alternate DNS for specific IP on LAN, is it possible?

Mon Nov 19, 2018 5:51 pm

quick tip: You don't need to calculate hex values. If you follow manual, you will find that IP can be added with apostrophes
This is working example from my tests:
/ip dhcp-server option
add code=6 name=dns-cloudflare value="'1.1.1.1'"
(notice the apostrophes within quotation marks. in GUI, you just type
'1.1.1.1'
)
it is not working ie. there is blocking on the device from OpenDNS.
I tested both methods and my device got DNS IP correctly. I am unsure how to understand your issue - what exactly isn't working (what is being blocked etc). I don't really use openDNS so I may be missing some important knowledge which you are referring to.
wild guess: DNS requests from your TV will be probably NATted so from external-dns-server, it will look absolutely same as if your router does the DNS request.
Maybe that is the issue?
Hi vecernik87,
there is a stream that won't work ie. it is blocked. I can go into opendns website panel to disable filtering and it works then. So, even though my specific device has google DNS now it is still not picking up that stream. I'm wondering if it's because i use DNS setting for the whole router in the /ip/dns setting like your wild guess. Maybe I should use DNS settings per DHCP network and remove the /ip/dns settings, but it will still be NATed by the router.

I know I have a pretty bastardized setup between defconf and all the stuff I've mucked with. I may start fresh when I have more time to play, I do enjoy the challenge.

I'm going to start a new thread for how to get ether3 to work independently of the LAN. I've tried this unsuccessfully.

Thanks
 
User avatar
macsrwe
Forum Veteran
Forum Veteran
Posts: 987
Joined: Mon Apr 02, 2007 5:43 am
Location: Arizona, USA
Contact:

Re: alternate DNS for specific IP on LAN, is it possible?

Mon Nov 19, 2018 7:39 pm

The NATting shouldn’t make a difference one way or the other. In a home network, any device can choose to use any DNS server; they all go through NAT, and it all works. The only difference in your configuration is that you have a device that needs to be fed a custom DNS value instead of having an operator that chooses one for himself.

Here’s an experiment: use the suggested set up to force a custom DNS to a particular PC instead of your dumb device, then inspect the PCs Internet settings, make sure they are what you expected them to be, and make sure that the DNS works. If it works for the PC, it ought to work for the dumb device, as long as it is honoring the DHCP information properly.


Sent from my iPhone using Tapatalk
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1802
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: alternate DNS for specific IP on LAN, is it possible?

Mon Nov 19, 2018 8:34 pm

is that rule still active?

/ip firewall nat
add action=redirect chain=dstnat comment=DNS dst-port=53 protocol=udp \
to-ports=53

That would cause it redirect all dns traffic to local dns afterall...
 
chuky0
newbie
Topic Author
Posts: 27
Joined: Thu Apr 20, 2017 7:49 pm

Re: alternate DNS for specific IP on LAN, is it possible?

Tue Nov 20, 2018 1:15 am

is that rule still active?

/ip firewall nat
add action=redirect chain=dstnat comment=DNS dst-port=53 protocol=udp \
to-ports=53

That would cause it redirect all dns traffic to local dns afterall...
Yep, that on'e active in firewall/nat I figured it might be the culprit, but I do need it for my LAN. Great learning from this though.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 804
Joined: Fri Nov 10, 2017 8:19 am

Re: alternate DNS for specific IP on LAN, is it possible?

Tue Nov 20, 2018 2:05 am

Gosh, I didn't even go through firewall rules. so obvious :lol:

If you need it for your lan, you can always exclude your special IP from it:
/ip firewall nat
add action=redirect src-address=!YOUR_SPECIAL_IP chain=dstnat comment=DNS dst-port=53 protocol=udp to-ports=53
 
chuky0
newbie
Topic Author
Posts: 27
Joined: Thu Apr 20, 2017 7:49 pm

Re: alternate DNS for specific IP on LAN, is it possible?

Sat Nov 24, 2018 6:15 pm

So, I'm still looking at this problem. If I am using the routers /ip/dns as seen from the export in the original post do I have to add my iptv box ip as static in this section to get this to work?

Maybe I have to add line ?

/ip>dns static add address=192.168.88.138 name=MAG322

This is the current export of DNS setup

/ip dns
set allow-remote-requests=yes servers="208.67.222.222,208.67.220.220,208.67.22\
2.220,208.67.220.222,::ffff:208.67.222.222,::ffff:208.67.220.220,::ffff:20\
8.67.222.220,::ffff:208.67.220.222"
/ip dns static
add address=192.168.88.1 name=router
 
chuky0
newbie
Topic Author
Posts: 27
Joined: Thu Apr 20, 2017 7:49 pm

Re: alternate DNS for specific IP on LAN, is it possible?

Sat Nov 24, 2018 7:09 pm

The NATting shouldn’t make a difference one way or the other. In a home network, any device can choose to use any DNS server; they all go through NAT, and it all works. The only difference in your configuration is that you have a device that needs to be fed a custom DNS value instead of having an operator that chooses one for himself.

Here’s an experiment: use the suggested set up to force a custom DNS to a particular PC instead of your dumb device, then inspect the PCs Internet settings, make sure they are what you expected them to be, and make sure that the DNS works. If it works for the PC, it ought to work for the dumb device, as long as it is honoring the DHCP information properly.


Sent from my iPhone using Tapatalk
So I tried this on my main PC's IP. It did give give the custom DNS information as seen from the windows command /ipconfig /all. However, this did break the network connection for that PC; no internet, could not even connect to the router. I had to revert settings on router from another machine on the network.

Weird because the dumb device (it uses linux 3.3) still has connection when sent a custom DNS
 
chuky0
newbie
Topic Author
Posts: 27
Joined: Thu Apr 20, 2017 7:49 pm

Re: alternate DNS for specific IP on LAN, is it possible?

Tue Dec 04, 2018 7:05 pm

Betweem this thread and the link below I've finally been able to resolve this

Sob's answer from the thread below was the kicker for me!

viewtopic.php?t=114499

Thanks for all your help!
 
188pilas
just joined
Posts: 1
Joined: Fri May 03, 2019 12:39 am

Re: alternate DNS for specific IP on LAN, is it possible?

Sun Aug 09, 2020 5:33 am

another is possible - instead of DHCP options, you can define it in /ip dhcp-server networks:
/ip dhcp-server network
add address=10.100.1.0/24 dns-server=8.8.8.8 gateway=10.100.1.254 netmask=24
add address=10.100.1.253/32 dns-server=10.100.1.254 gateway=10.100.1.254 netmask=24
as you can see, for whole LAN range, there is google DNS assigned, but for one specific IP (I made the lease static so it always goes to specific device) DHCP server will send different IP (its own) as DNS server.
I tested both methods and both work fine.
Thanks! This solved my problem.

Who is online

Users browsing this forum: No registered users and 32 guests