Community discussions

MikroTik App
 
nikk
just joined
Topic Author
Posts: 12
Joined: Thu Jul 02, 2020 6:22 am

Multiple remote sites DNS solution, without Static DNS entries

Tue Feb 21, 2023 5:52 am

Hi All,

This is a scenario with multiple sites. Each site is connected to the other with WireGuard. Each site is configured to use public DNS. Static DNS entries are added to each router to point to devices on the other sites.

The question is, How can I avoid using static DNS entries? Can I add each router's IP address into the DNS setting for all the sites in addition to the public DNS address? Appreciate some advice.

Thanks
Nikk
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Multiple remote sites DNS solution, without Static DNS entries

Tue Feb 21, 2023 2:25 pm

It doesn't seem very clear, so I'm just guessing...

Do you mean local hostnames like workstation1.site1.lan on one router, server1.site2.lan on another, etc? Proper solution would be to run real DNS server(s), i.e. not something RouterOS can do. It could also work with FWD records (not real records but pointers to different servers). But it would require some consistent system where you could say that first site has hostnames *.site1.lan, second one has *.site.lan, etc. Then you could easily point the whole thing to the right router. If it's something mixed like server1.lan on site one, server2.lan on site two, server3.lan again on site one, it wouldn't work like this. You definitely can't just put addresses of all routers in /ip dns set servers=xxx.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3255
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Multiple remote sites DNS solution, without Static DNS entries

Tue Feb 21, 2023 3:18 pm

Sob is right.

But if each site uses a subdomain, you can add a FWD record to send the subdomain to specific Mikrotik. It could end in a real domain or Mikrotik .lan (or home.arpa per RFC8375) — but some "site name" needs to in-between the hostname and top-level domain for it work. DNS 101.

For example, three sites below (Rome, Montreal, Rio), each has Mikrotik DNS at the site, and lists the devices local to that in the local Mikrotik DNS. Also are FWD entries to do look up based on the domain name, to if a subdomain is found, the DNS request will be sent that server. The FWD record is what sends requests, it uses a regex to another DNS, so you can use to look for the subdomain. The real way is do this with SOA and NS records, but the RouterOS FWD method will work, I think.

Also, if DHCP set the domain name to the local site's subdomain, like "rome.lan". Something like "printer" would be results to printer.rome.lan automatically (OS appends the domain to the search if a bare name like "printer" isn't found). If the client, went to the Rio office, and used "printer" they'd get printer.rio.lan.

Something like this:

Mikrotik Static DNS in "Rome"
router.rome.lan. A 10.1.1.1
printer.rome.lan. A 10.1.1.100
*.montreal.lan FWD 10.2.2.1
*.rio.lan FWD 10.3.3.1

... "Montreal"
router.montreal.lan. A 10.2.2.1
printer.montreal.lan. A 10.2.2.100
camera.montreal.lan A 10.2.2.200
*.rome.lan FWD 10.1.1.1
*.rio.lan FWD 10.3.3.1

... "Rio"
router.rio.lan. A 10.3.3.1
printer.rio.lan. A 10.3.3.100
nas.rio.lan A 10.3.3.200
*.montreal.lan FWD 10.2.2.1
*.rome.lan FWD 10.1.1.1
 
pe1chl
Forum Guru
Forum Guru
Posts: 10196
Joined: Mon Jun 08, 2015 12:09 pm

Re: Multiple remote sites DNS solution, without Static DNS entries

Tue Feb 21, 2023 4:16 pm

A solution that probably will have more longevity is to use a subdomain of your public DNS name, and put the records there.
E.g. if your company uses example.com as their name, put the addresses under hostname.location.example.com or hostname.lan.example.com when there is no need to separate them by location.
What you do in "static DNS name" inside the router will at some point in time all cease to work or become unreliable.
(because you will have devices that ignore your local resolver address in DHCP, will query directly to 8.8.8.8 etc, or will use DoT or DoH)
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3255
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Multiple remote sites DNS solution, without Static DNS entries

Tue Feb 21, 2023 7:26 pm

I was not advocating the approach ;)... more explaining. Trying to highlight OP should use subdomains, since the request is a little vague.

I should have been clearer that using subdomains of a real domain (printer.rome.example.com) would make this approach much better. But multiple site you'd be better off with a "real" (e.g. standard complaint) DNS server.

If the Mikrotik can run containers, you can run BIND9 in a container to avoid the /ip/dns stuff, but still have local DNS at a site. And do proper delegation (and subdomains) using BIND would work too.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10196
Joined: Mon Jun 08, 2015 12:09 pm

Re: Multiple remote sites DNS solution, without Static DNS entries

Tue Feb 21, 2023 7:54 pm

In my reply I assumed that the company already had a registered domain with DNS hosting on internet, and it is possible for the admin to add DNS records e.g. using a web-based DNS editor. That is quite a common scenario these days. The same DNS service is used to configure the public webserver, mail MX records, SPF/DKIM/DMARC records, etc etc.
As you usually have that service available anyway, and the MikroTik can reach it via its resolver, it is often easiest to just use that.
(of course it means you are dependent on internet for the local DNS resolution to work, so you may not be able to print when internet is down, but today that is usually not really an issue because so few things are independent of internet anyway. certainly in the scenario where a VPN is used :) )
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3255
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Multiple remote sites DNS solution, without Static DNS entries

Tue Feb 21, 2023 8:31 pm

100% agree. That what I do for a lot of things: some web-based DNS is often free with a domain, create the records there, and set the domain name in DHCP on the mikrotik side.

If you add the RFC-6763 "b._dns-sd._udp @" stuff in the "real domain", all the DNS-SD/mDNS/Bonjour discovery (e.g. AirPrint, etc.) stuff comes for free – which you can't do in /ip/dns since they don't have PTR records (opened bug 2 years ago for that).

I don't think private IP is public DNS are a huge problem, as long as zone transfer are not enabled. But reasonable minds disagree, so still a place for local DNS I think.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Multiple remote sites DNS solution, without Static DNS entries

Tue Feb 21, 2023 8:54 pm

Some resolvers may filter private addresses. It's some trouble everywhere you look, we should scrap it all and move to all-public IPv6. :)
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3255
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Multiple remote sites DNS solution, without Static DNS entries

Tue Feb 21, 2023 10:00 pm

Some resolvers may filter private addresses.
Compared to worries about AAAA records in /ip/dns?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Multiple remote sites DNS solution, without Static DNS entries

Tue Feb 21, 2023 11:09 pm

I'm not sure what you mean.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10196
Joined: Mon Jun 08, 2015 12:09 pm

Re: Multiple remote sites DNS solution, without Static DNS entries

Tue Feb 21, 2023 11:57 pm

Some resolvers may filter private addresses.
RouterOS cannot do that, even when others recommend it (rebind protection).
However, most resolvers that offer this have a possibilty for domain(s) to be exempted from that.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3255
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Multiple remote sites DNS solution, without Static DNS entries

Wed Feb 22, 2023 12:17 am

I'm not sure what you mean.
it was a joke. More saying weighing the risks...
1. Some intermediate DNS resolver blocking a private subnet address returned in a query, OR
2. Mikrotik DNS returning the wrong results due bug and/or "a misunderstanding of /ip/dns works"
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Multiple remote sites DNS solution, without Static DNS entries

Wed Feb 22, 2023 2:00 am

What I meant is that when one would add internal records in public DNS, in order to solve problem with DoH and other ways how devices can bypass local data, they might end up using some resolver that filters records with private addresses. So you solve one problem, but hit another.

As for MikroTik's bugs, we can't have everything. For years they didn't touch DNS and nothing broke, but it wasn't all that great either.
 
nikk
just joined
Topic Author
Posts: 12
Joined: Thu Jul 02, 2020 6:22 am

Re: Multiple remote sites DNS solution, without Static DNS entries

Wed Feb 22, 2023 5:37 am

server1.lan on site one, server2.lan on site two, server3.lan again on site one
Hi @Sob, the above is what the current scenario is.

Thanks all, for the replies. Redesigning the domain structure on an existing setup is a lot, therefore, will avoid that for now. Utilizing the DNS hosting service of the registered domain is an option I will look at.

At this moment, as a quick workaround to reduce maintenance on the static list, I created a dstnat on a Remote router to redirect udp traffic to the Main router and maintain the DNS entries on the Main router.

[chain=dstnat action=dst-nat to-addresses=<Main-router-IP> to-ports=53 protocol=udp in-interface-list=!WAN dst-port=53 log=yes log-prefix=""]

Question:-
1. With redirecting traffic approach shown above, does that mean that the originating router's DNS server setting will be totally ignored OR, will it be used either in Parallel or as a fallback if the redirect doesn't resolve the query or when the link to the Main router site is down?

2. DHCP only assigns router IP to the clients. Will having the DHCP assignment include both the router IP and public DNS IPs, mitigate the issue when the redirecting approach fails?

Thanks
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Multiple remote sites DNS solution, without Static DNS entries

Wed Feb 22, 2023 6:34 pm

Dstnat is not good, because it redirects everything, without any fallback. If you have at least common TLD (e.g. .lan), then with recent enough RouterOS (v7), you can do this on other routers:
/ip dns static
add name=lan type=FWD match-subdomain=yes forward-to=<main router>
and it will forward *.lan to main router and everything else will use locally configured resolvers. This will help you to avoid temptation to give mix of private and public resolvers to clients, because it doesn't work well at all (it may seem fine at first, but sooner or later you'd see "strange" failures for internal domain).
 
nikk
just joined
Topic Author
Posts: 12
Joined: Thu Jul 02, 2020 6:22 am

Re: Multiple remote sites DNS solution, without Static DNS entries

Thu Mar 02, 2023 4:36 am

Thanks everyone for the tips.

@Sob, the static DNS entry with FWD type worked for client DNS lookup. But I didn't use it because it broke my WireGuard connectivity which also have endpoints with the same domain (wireguard is what connects the remote site to the main DNS site). So Wireguard needed to go thru the public DNS to establish the connection first before the static DNS FWD entry can work.

Therefore, I still ended up with the Dstnat option, but added the Layer7 Protocol Regex \\x08domain\\x03com.\\x01. If I understand correctly the Dstnat only work for traffic generated from clients behind a router. Output traffic generated from within a router (e.g. Wireguard) does not go through any Dstnat rules. Will see how that goes.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Multiple remote sites DNS solution, without Static DNS entries  [SOLVED]

Sat Mar 04, 2023 6:50 am

I can't test it now, but doesn't something like this work?
/ip dns static
add name=lan type=FWD match-subdomain=yes forward-to=<main router>
add name=something.more.specific.lan type=A address=<address>
add name=another.more.specific.lan type=FWD forward-to=<another resolver>
My guess/expectation is that it should. As for dstnat for router's output, it's possible too: viewtopic.php?p=922954#p922954
 
nikk
just joined
Topic Author
Posts: 12
Joined: Thu Jul 02, 2020 6:22 am

Re: Multiple remote sites DNS solution, without Static DNS entries

Thu Mar 09, 2023 8:16 am

Thanks @sob,

The Static DNS type=FWD approach did work as well. I missed out on the fact that, the static DNS list lookup from top to bottom. So I now have the wireguard endpoint DNS entry pointing to a public resolver at the top of the list and the type=FWD entry below it. That solved the problem in my case. This approach looks simple than the dstnat approach.

Cheers

Who is online

Users browsing this forum: cmmike, CSteve, lurker888 and 45 guests