Community discussions

MikroTik App
 
millenium7
Member
Member
Topic Author
Posts: 389
Joined: Wed Mar 16, 2016 6:12 am

DNS server selection based on Layer7 - viable?

Thu Sep 24, 2020 3:22 am

Is it viable to use Layer7 filtering to selectively route DNS requests to different servers?
I want to use a MikroTik router in an organization as the DNS server. This organization runs Active Directory with only a single Domain/DNS server and relies on it for certain internal resources
However if the server has a hiccup, PC's all lose internet access as DNS is not available

I can't make the MikroTik the DNS server because it isn't part of the Active Directory domain, so certain internal resources won't work
However maybe I can use the MikroTik as a DNS relay, since DNS requests are not encrypted. So could Layer7 inspect the DNS requests, if there's any request for an internal resource (containing their domain name) then send it to the AD Server internally (and masquerade so the reply comes back correctly). Anything else just do a normal forward lookup to Google/Cloudflare

Would this work?
 
neutronlaser
Member
Member
Posts: 447
Joined: Thu Jan 18, 2018 5:18 pm

Re: DNS server selection based on Layer7 - viable?

Thu Sep 24, 2020 3:50 am

Specify two DNS servers and clients will try the first and if not responding, try the next.
 
millenium7
Member
Member
Topic Author
Posts: 389
Joined: Wed Mar 16, 2016 6:12 am

Re: DNS server selection based on Layer7 - viable?

Thu Sep 24, 2020 3:54 am

Specify two DNS servers and clients will try the first and if not responding, try the next.
Windows clients are sticky with their DNS selection

If I put i.e. the AD server as the first DNS server, and google/cloudflare as an alternative server, then if the AD server is unreachable yes it will fail over to google/cloudflare, but it will not fail back. The client PC will stick to that alternate server until it becomes unreachable and then it will retry. So this doesn't solve the problem it just makes it worse because PC's will periodically not have access to internal resources even if the server is up
 
Sob
Forum Guru
Forum Guru
Posts: 6514
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS server selection based on Layer7 - viable?

Thu Sep 24, 2020 5:00 am

I can't make the MikroTik the DNS server because it isn't part of the Active Directory domain, ...
Wouldn't the new (6.47+) forwarding work for you? Make RB DNS server, but forward selected stuff elsewhere:
/ip dns static
add forward-to=<AD DNS server> regexp="\\.ad\\.domain\\.tld\$" type=FWD
And everything else would go to whatever servers you have in /ip dns.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
millenium7
Member
Member
Topic Author
Posts: 389
Joined: Wed Mar 16, 2016 6:12 am

Re: DNS server selection based on Layer7 - viable?

Thu Sep 24, 2020 5:02 am

Wasn't aware of the DNS changes in 6.47
That would work

I've also just setup a lab environment with an AD server and PC
It does also work the 'old' way with layer7 protocol and 2x NAT rules
/ip firewall layer7-protocol add comment=!!! name=domainrequests regexp="((.*).testdomain.local|(.*).testdomain|testdomain.local)"
/ip firewall nat add action=dst-nat chain=dstnat comment=!!! dst-address=[ROUTERS_LAN_ADDRESS] dst-port=53 layer7-protocol=domainrequests protocol=udp to-addresses=[AD_SERVER]
/ip firewall nat add action=masquerade chain=srcnat comment=!!! dst-address=[AD_SERVER] dst-port=53 protocol=udp
What i'm not sure of is if I need to adjust the regex syntax to be broader or more specific. So far it works fine
I've tested pinging various domain devices and I can see packets matching and responses work
Also tried leaving and rejoining the domain, signing in with new user accounts etc, all working
 
neutronlaser
Member
Member
Posts: 447
Joined: Thu Jan 18, 2018 5:18 pm

Re: DNS server selection based on Layer7 - viable?

Thu Sep 24, 2020 5:27 am

Make Mikrotik DNS server use your domain server as its first choice
 
Sob
Forum Guru
Forum Guru
Posts: 6514
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS server selection based on Layer7 - viable?

Thu Sep 24, 2020 5:27 am

Your regexp can have tons of false positives, it will basically match any packet containing "testdomain" anywhere. For start, when you have dots in name, they are not dots in packets, but it's a number containing length of following part, e.g. <10>testdomain<5>local<0>, and last one is null byte, but L7 in RouterOS can't match null bytes. And the whole thing can be somewhere in the middle of packet.

Regexp for static DNS records is easier, because there you have real dots and it works only with the name, so you can also match beginning (^) and end ($) of it.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
Sob
Forum Guru
Forum Guru
Posts: 6514
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS server selection based on Layer7 - viable?

Thu Sep 24, 2020 5:29 am

@neutronlaser: It doesn't work that way, RouterOS will switch between multiple servers all the time.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 913
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: DNS server selection based on Layer7 - viable?

Thu Sep 24, 2020 6:00 am

Specify two DNS servers and clients will try the first and if not responding, try the next.
Windows clients are sticky with their DNS selection

If I put i.e. the AD server as the first DNS server, and google/cloudflare as an alternative server, then if the AD server is unreachable yes it will fail over to google/cloudflare, but it will not fail back. The client PC will stick to that alternate server until it becomes unreachable and then it will retry. So this doesn't solve the problem it just makes it worse because PC's will periodically not have access to internal resources even if the server is up
You should put at least two DNS servers on Your AD. No one should run one with a single DNS. Doesn't have to be a big machine. Just use something small, promote it to secondary AD and off You go.
This isn't even best practice: it is almost mandatory, by Microsoft directives. No one should run an AD domain with a single domain controller.
 
millenium7
Member
Member
Topic Author
Posts: 389
Joined: Wed Mar 16, 2016 6:12 am

Re: DNS server selection based on Layer7 - viable?

Thu Sep 24, 2020 7:19 am

I hear you, and we're trying to get that to happen. For now the Mikrotik will suffice

at the same time however, the reality is the vast majority of smaller businesses do only run a single AD and DNS server without issue. And the reality is with virtualisation and image backups it's not the end of the world, its relatively easy to spin up compared to bare metal. I know what you are saying and in an ideal world with unlimited budgets multiple servers is the way to go. I even agree that it can run on low spec hardware but many of these businesses just don't see it that way
At the same time it's not the only single point of failure. Most businesses only have 1 internet connection, 1 router, the minimum number of switches at each location etc. Plenty of other things that 'could' go wrong
 
odge
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Nov 29, 2010 2:53 pm

Re: DNS server selection based on Layer7 - viable?

Tue Oct 12, 2021 10:09 am

/ip dns static
add forward-to=<AD DNS server_1> regexp="\\.ad\\.domain\\.tld\$" type=FWD

/ip dns static
add forward-to=<AD DNS server_2> regexp="\\.ad\\.domain\\.tld\$" type=FWD

Is that a suitable failover method?

Are <AD DNS server> only IPs it seems to accept anything? even commans

Who is online

Users browsing this forum: CrilMitic, giulianoz, HappyPacket and 42 guests