Page 1 of 1

BUG: Regexp Wild DNS Static entry with CNAME not work with v6.48.4

Posted: Sat Oct 09, 2021 5:51 am
by ihipop
This works

/ip dns static
add address=1.1.1.1 regexp="\\.example\\.com
Output:

:put [:resolve aaa.example.com]
1.1.1.1

This not work

/ip dns static
add cname=one.one.one.one regexp="\\.example\\.com" type=CNAME
Output:
:put [:resolve aaa.example.com]
failure: dns name does not exist
:put [:resolve one.one.one.one]
1.0.0.1


[*] Routeros Version

```
/system routerboard> print
routerboard: yes
board-name: hEX PoE lite
model: RouterBOARD 750UP r2
serial-number: ******
firmware-type: qca9531L
factory-firmware: 3.23
current-firmware: 6.48.4
upgrade-firmware: 6.48.4
```

Re: BUG: Regexp Wild DNS Static entry with CNAME not work with v6.48.4

Posted: Mon Oct 11, 2021 11:33 am
by Kindis
Adding CNAME to ROS does not work as it should. I have a case with MT where they have confirmed this issue.

What I see is that a CNAME I add does not work at all. Now I use network.local as the suffix for the CNAME Key but a "real" FQDN as value.
This only works if I resolve the value first and get it into the cache.

For example. If I add a CNAME with key test.example.local with value dns.google.com I cannot resolve test.example.local.-
This will not work for me unless I have dns.google.com in cache. So for example if I run nslookup dns.google.com that will put the IP for this value for a short while.
During this time test.example.local will reolve.
The reason is that the DNS resolved will send the CNAME externally to resolve as I saw network.local in my external DNS provider logs, and they should not be there.
I'm not sure this is applicable to you but CNAME does not work as it should and could very well be affecting you.

Re: BUG: Regexp Wild DNS Static entry with CNAME not work with v6.48.4

Posted: Tue Oct 12, 2021 7:12 am
by ihipop
Thank you for your kindly reply :) :) ~
But:

Re: BUG: Regexp Wild DNS Static entry with CNAME not work with v6.48.4

Posted: Tue Oct 12, 2021 7:13 am
by ihipop
Adding CNAME to ROS does not work as it should. I have a case with MT where they have confirmed this issue.

What I see is that a CNAME I add does not work at all. Now I use network.local as the suffix for the CNAME Key but a "real" FQDN as value.
This only works if I resolve the value first and get it into the cache.

For example. If I add a CNAME with key test.example.local with value dns.google.com I cannot resolve test.example.local.-
This will not work for me unless I have dns.google.com in cache. So for example if I run nslookup dns.google.com that will put the IP for this value for a short while.
During this time test.example.local will reolve.
The reason is that the DNS resolved will send the CNAME externally to resolve as I saw network.local in my external DNS provider logs, and they should not be there.
I'm not sure this is applicable to you but CNAME does not work as it should and could very well be affecting you.

Thank you for your kindly reply :) :) ~
Your case about CNAME is TRUE
But:
  • `one.one.one.one` is a "real" FQDN value
  • I resolve the value first and get it into the cache, but it still not work with Regexp Wild DNS Static entry
  • It works with CNAME DNS Static entry without Regexp
  • It's just a `Regexp Wild DNS Static` + `CNAME` bug

Question:

How I can let mikrotik team to konw my issues? I have another issue to let them know..

Re: BUG: Regexp Wild DNS Static entry with CNAME not work with v6.48.4

Posted: Tue Oct 12, 2021 11:47 am
by Kindis
I still this the issue apply even for you. In this case you ask for the domain aaa.exmaple.com and that does not exist in public DNS.
Now I cannot be sure but the issue I see is that the question I send for a CNAME is not managed within the device but is sent to the external DNS resolved you have.
Did a little test:

I added the following:
/ip dns static
add address=1.1.1.1 regexp="\\.cnn\\.com"

This produced the following:
Non-authoritative answer:
Name: turner-tls.map.fastly.net
Addresses: 1.1.1.1
Aliases: www.cnn.com

So in this case I see the answer I was expecting.
Then we remove A record and add this:
/ip dns static
add cname=one.one.one.one regexp="\\.cnn\\.com" type=CNAME
This produced the following:
Non-authoritative answer:
Name: turner-tls.map.fastly.net
Addresses: 2a04:4e42:14::323
151.101.85.67
Aliases: www.cnn.com

As you can see I get a response but this is the "real" IP's you get from external resolver. So this indicated the CNAME question www.cnn.com is sent externally and not managed in your device
And just to prove my point here :D I added this:
/ip dns static
add cname=one.one.one.one regexp="\\.example\\.com" type=CNAME
This gave me this result:
*** UnKnown can't find aaa.example.com: Non-existent domain
Then I went to the logs of my external resolved (NextDNS) and found this in the log:
2021-10-12T08:09:34.389544+00:00,aaa.example.com,A,true,DNS-over-HTTPS
So in this case the question for aaa.example.com is not honored on the DNS resolved in Mikrotik but is instead send to my external resolved asking for an A record.
So I think you have the same issue. MT has confirmed they have found the issue but there are not fix for this in the pipeline yet as far as I know.

Re: BUG: Regexp Wild DNS Static entry with CNAME not work with v6.48.4

Posted: Wed Oct 13, 2021 10:11 am
by ihipop
I still this the issue apply even for you. In this case you ask for the domain aaa.exmaple.com and that does not exist in public DNS.
Now I cannot be sure but the issue I see is that the question I send for a CNAME is not managed within the device but is sent to the external DNS resolved you have.
Did a little test:

I added the following:
/ip dns static
add address=1.1.1.1 regexp="\\.cnn\\.com"

This produced the following:
Non-authoritative answer:
Name: turner-tls.map.fastly.net
Addresses: 1.1.1.1
Aliases: www.cnn.com

So in this case I see the answer I was expecting.
Then we remove A record and add this:
/ip dns static
add cname=one.one.one.one regexp="\\.cnn\\.com" type=CNAME
This produced the following:
Non-authoritative answer:
Name: turner-tls.map.fastly.net
Addresses: 2a04:4e42:14::323
151.101.85.67
Aliases: www.cnn.com

As you can see I get a response but this is the "real" IP's you get from external resolver. So this indicated the CNAME question www.cnn.com is sent externally and not managed in your device
And just to prove my point here :D I added this:
/ip dns static
add cname=one.one.one.one regexp="\\.example\\.com" type=CNAME
This gave me this result:
*** UnKnown can't find aaa.example.com: Non-existent domain
Then I went to the logs of my external resolved (NextDNS) and found this in the log:
2021-10-12T08:09:34.389544+00:00,aaa.example.com,A,true,DNS-over-HTTPS
So in this case the question for aaa.example.com is not honored on the DNS resolved in Mikrotik but is instead send to my external resolved asking for an A record.
So I think you have the same issue. MT has confirmed they have found the issue but there are not fix for this in the pipeline yet as far as I know.
Hi bro:

You missed the the cache test part

So .I will explain this
/ip dns static
add address=1.1.1.1 name=one.one.one.one
add cname=one.one.one.one regexp="\\.example\\.com" type=CNAME
then, manual resolve
one.one.one.one
and find it in that cache to ensure cache is valid
/ip dns cache> :put [:resolve one.one.one.one]   
1.1.1.1

/ip dns cache> print where name=one.one.one.one
Flags: S - static 
 #   NAME                                                          TYPE  DATA                                                                                             TTL         
 0 S one.one.one.one                                               A     1.1.1.1                                                                                          1d  
 
then, manual resolve
 aaa.example.com
Result:
/ip dns cache> :put [:resolve aaa.example.com]   
failure: dns name does not exist
when I change
/ip dns static add cname=one.one.one.one regexp="\\.example\\.com" type=CNAME

to
/ip dns static add cname=one.one.one.one name=aaa.example.com type=CNAME

it works:
/ip dns static> :put [:resolve aaa.example.com]
1.1.1.1
So,You have said:
So in this case the question for aaa.example.com is not honored on the DNS resolved in Mikrotik
YES!

But you also have said :
For example. If I add a CNAME with key test.example.local with value dns.google.com I cannot resolve test.example.local.-
This will not work for me unless I have dns.google.com in cache

NO! ,This is different issue I have
one.one.one.one
in dns cache, and it works without Regexp when I have
one.one.one.one
in dns cache, but not work with Regexp entry

And:
I still interested in how to let mikrotik know my issue :D