Community discussions

MikroTik App
 
Mihies
just joined
Topic Author
Posts: 12
Joined: Wed Oct 28, 2015 12:30 pm

Resolve DNS through Wireguard

Fri Dec 23, 2022 10:25 pm

I have two networks both have mikrotik routers. Home is on fixed IP, while remote is on dynamic. Remote connects to home through Wireguard over Internet.
Both mikrotiks act like DNS for respective networks. Everything seems working fine. Except....
Now, I'd like to resolve home addresses from remote mikrotik DNS. Basically remote DNS would first go looking at home DNS and if it can't resolve it'd go looking to public DNS servers. So I use home DNS IP as first in chain on remote DNS servers list. And for some reason remote DNS can't access home DNS. The fun part is that if I try resolve from any computer on remote subnetwork using home DNS, it works. It also works for computers if I use NAT on remote mikrotik to forward UDP/53 to home DNS. * this is not true anymore, it worked just briefly or I was mistaken

Basically, only remote mikrotik DNS can't resolve from home DNS.
Is there anything obvious that I'm missing. My settings are pretty much basic I think.
Last edited by Mihies on Sat Dec 24, 2022 9:31 pm, edited 1 time in total.
 
Mihies
just joined
Topic Author
Posts: 12
Joined: Wed Oct 28, 2015 12:30 pm

Re: Resolve DNS through Wireguard

Sat Dec 24, 2022 5:12 pm

I did some packet sniffing and wiresharking.
I've seen that the two routers do indeed communicate, it's just home DNS is returning "129 3.638033 HOME_ROUTER_IP SOURCE_REMOTE_COMPUTER_IP DNS 82 Standard query response 0x0001 No such name PTR HOME_ROUTER_REVERSE_IP.in-addr.arpa"
Now I wonder why can't it figure out that PTR record.
 
Mihies
just joined
Topic Author
Posts: 12
Joined: Wed Oct 28, 2015 12:30 pm

Re: Resolve DNS through Wireguard

Sat Dec 24, 2022 5:14 pm

Actually, it responds in the same way for A and AAAA records even though they exist as static records.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3255
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Resolve DNS through Wireguard

Sat Dec 24, 2022 6:46 pm

Now I wonder why can't it figure out that PTR record.
Any static A or AAAA entries automatically create PTR records. And if the Mikrotik is the resolver being used by the end of the WG tunnel, it work. Otherwise a public DNS is going to give fail with private address, or the ISP's in-addr.arpa record be return (which some ISP don't bother with so very well could be missing). But I this isn't likely a big deal.
And for some reason remote DNS can't access home DNS. The fun part is that if I try resolve from any computer on remote subnetwork using home DNS, it works. It also works for computers if I use NAT on remote mikrotik to forward UDP/53 to home DNS. Basically, only remote mikrotik DNS can't resolve from home DNS.
In theory, if you have each Mikrotik has it's "brother's" IP listed first as the DNS server, that should work. But DNS doesn't always take the linear path. Things are cached, everywhere, so stale data is always potential when troubleshooting. And not all client DNS resolver follow the rules, e.g. whether they actually respect/use ONLY the 1st DNS server listed. So exactly where things are getting resolved from/to can effect things dramatically too.

It generally easier to have just one DNS server, use that one both side, and have DHCP also return some public DNS as backups. Ideally each DNS server should service a domain – real domain or fake one like ".lan" used by default e.g. "router.lan". What you're trying to do is "cascade" a hostname and PTR lookup across two DNS server, reasonable request, but not really a direct feature of Mikrotik's DNS.

If you really want to maintain separate static DNS for each "home" and "remote", it might be best to qualify all your static DNS enters with some pseudo-domain like ".home" and ".remote", or whatever you'd like, for the records stored on the respective routers. Mikrotik FWD record on each allow you send the "foreign domain" to the other router explicitly. e.g. FWD with regex for "*.home" or "*.remote", with forward-to set other router's IP address & in DHCP server use ".home" and ".remote" in the DNS append suffix.

Script also could sync/create records between two Mikrotik, but pretty sure using just one DNS server will make your life easier.
 
Mihies
just joined
Topic Author
Posts: 12
Joined: Wed Oct 28, 2015 12:30 pm

Re: Resolve DNS through Wireguard

Sat Dec 24, 2022 8:47 pm

Hi and thanks for info,

I found something else as well.
If I query home DNS from remote with a public hostname, it resolves it (wireshark shows that the response is in fact from home DNS), but it doesn't store it in its cache. It looks like it's forwarding request to public DNS, ignoring its static and dynamic cache). It feels like home DNS just passthrough the request and doesn't care. Which is consistent behavior with what I see with local home hostnames (not resolved). I really wonder in what case DNS would ignore its static and dynamic addresses.

As per why two DNS, I prefer it like this to have remote network working even if wireguard fails as it's not tight linked to home network. At least that's the idea. But I guess single DNS is an option as well eventually.
 
Mihies
just joined
Topic Author
Posts: 12
Joined: Wed Oct 28, 2015 12:30 pm

Re: Resolve DNS through Wireguard

Sat Dec 24, 2022 9:29 pm

Oh, and don't forget, even if I were to go with a single DNS (local) - it wouldn't work as it is not resolving at the moment. Scratch the part where I wrote that it was working from computers, it's not anymore for a reason or another. It worked just briefly. Basically local DNS won't resolve local hostnames when queried from remote network through wireguard. If I query it through it's public IP, then, oddly, it works.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3255
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Resolve DNS through Wireguard

Sat Dec 24, 2022 10:18 pm

Totally get the idea behind wanting two DNS servers. Just saying RouterOS isn't going to help you much to integrate two of them together... If changes are infrequent, uou can just copy the entries from one router to another, might be easier – let both DNS be independent (e.g. NOT know there is another one), but have manually duplicate list /ip dns static entries. Using something like VRRP would let you have two servers but only one active, since you could the VRRP address for your DHCP clients to use, as yet another approach.

The gestalt of DNS assumes everything has some fully-qualified domain name. Without some "top level" domain (TLD), the usual DNS scheme falls apart. DNS moves from top level domain down to find a host name, and since Mikrotik doesn't force a TLD, it does the best it can trying hide all this to try to make it simplier. So Mikrotik's DNS server static entries (/ip dns static) act a BOTH like a /etc/host file & "real" DNS zonefile at SAME time & with only one DNS server, this is fine. How the naked/domainless hostname get resolved gets hard to predict here since it's client resolver+router config dependent.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3255
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Resolve DNS through Wireguard

Sat Dec 24, 2022 10:20 pm

. If I query it through it's public IP, then, oddly, it works.
This sound like the firewall rules might be blocking some paths. You might want to look at the firewall rules to make sure the WG tunnels are allowed port 53 or getting misclassified as something else that is cause it to be blocked.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3255
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Resolve DNS through Wireguard

Sat Dec 24, 2022 10:34 pm

One other note, you might want to look at the docs for DNS in the old wiki:
https://wiki.mikrotik.com/wiki/Manual:IP/DNS

It actually has an example of the "FWD" record which is the Mikrotik-way of redirecting DNS requests to another server, but it works based on a regular expression so if there is some pattern the names on each DNS server, you can just a FWD record match on that "group" to send to the "brother" DNS sever.
 
Mihies
just joined
Topic Author
Posts: 12
Joined: Wed Oct 28, 2015 12:30 pm

Re: Resolve DNS through Wireguard

Mon Dec 26, 2022 11:07 am

. If I query it through it's public IP, then, oddly, it works.
This sound like the firewall rules might be blocking some paths. You might want to look at the firewall rules to make sure the WG tunnels are allowed port 53 or getting misclassified as something else that is cause it to be blocked.
The thing is that (according to Wireshark) local DNS responds, so I guess port 53 isn't blocked. One thing that seems odd to me (ok, one of the things) is that I can't see UDP packets (Sniffer) or connections (Torch) when resolving DNS from remote (through wireguard)
I'm using 'nslookup HOSTNAME LOCAL_ROUTER_IP' from remote computer.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3255
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Resolve DNS through Wireguard

Mon Dec 26, 2022 2:09 pm

I take it Wireshark is using the DNS server you expect (e.g. one of your two). Most DNS queries use UDP, including nslookup. So it would seem UDP works from remote to the DNS server being used. Or is Wireshark also reporting TCP is being used?
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3255
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Resolve DNS through Wireguard

Mon Dec 26, 2022 2:15 pm

It might help here if you posted a sanitized version of the configs and/or some diagram. DNS has a very specific method of operation, and by trying to naked hostname lookup acrosss two DNS server is flighting how DNS is suppose to work. Kinda flying blind now to guess at what's actually going on.

One tip here is you can run "nslookup" then at the command line type "server <MT_DNS_SERVER" then do your lookup. You can test each of your servers that way to confirm what's resolving where, from the remote's POV.
 
Mihies
just joined
Topic Author
Posts: 12
Joined: Wed Oct 28, 2015 12:30 pm

Re: Resolve DNS through Wireguard

Mon Dec 26, 2022 3:27 pm

Problem solved. It was a improperly Address for wireguard issue. A sneaky one since it mostly worked except when accessing router. And thanks for your support.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Resolve DNS through Wireguard

Mon Dec 26, 2022 4:18 pm

The only thing sneaky about it was your lack of posting a config, it probably would have been spotted upon first review.
Next time,.......... you know what to do.
 
Mihies
just joined
Topic Author
Posts: 12
Joined: Wed Oct 28, 2015 12:30 pm

Re: Resolve DNS through Wireguard

Fri Dec 30, 2022 5:52 pm

Understood.

Who is online

Users browsing this forum: Adephx, cmmike, onnoossendrijver, uxertxo and 41 guests