Community discussions

MikroTik App
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 187
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Update firewall filter/NAT rules based on FQDN

Sat Sep 03, 2022 6:02 pm

Edit: Looks like I've answered my own question here....

1) It looks like the IP for doh.opendns.com is the same globally and anycast routed, so shouldn't need to change. But I've read that address lists can use FQDNs. Presumably the router would need to be able to resolve them to an IP however?

2) I re-read the config guide and see it mentions adding the static entries, so presumably that's the only way....

Original post:

I've just configured DNS over HTTPS via OpenDNS on my RouterOS.

Network setup from a DNS perspective is as follows:

Domain-joined Windows clients -> Active Directory DNS server (port 53) - these clients also have the OpenDNS IPs as fallback if the AD DNS goes down
Active Directory Server -> OpenDNS 208.67.222.222/208.67.220.220 (port 53) - forwarders

RouterOS (only listing my DoH specific changes):

Firewall:
Input - Allow Active Directory DNS server & domain-joined client subnet to Router LAN IP on port 53
NAT - DSTNAT AD DNS & domain-joined client subnet to OpenDNS - DSTNAT to Router LAN IP on port 53
Output - Allow to 146.112.41.2 (doh.opendns.com) on HTTPS

DNS:
Static entry for doh.opendns.com to 146.112.41.2
Specify DoH as https://doh.opendns.com/dns-query (validate certificate checked)
DNS server (IP) - empty

Certificates:
Imported Digicert Root CA

Questions:

1) I restrict the output chain on the router - how can I make a DNS query for doh.opendns.com and ensure that the returned IP is updated if/when required in the firewall filter/NAT rules?
2) Without the static DNS entry for doh.opendns.com how does the router resolve that hostname if it doesn't have any DNS IPs?

I know question 2 isn't a scripting issue per-se but it's part of the bigger picture.

Who is online

Users browsing this forum: No registered users and 18 guests