Community discussions

MikroTik App
 
moveik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Tue Nov 24, 2020 1:16 am

dns-server IP in VLAN tutorial

Fri Mar 24, 2023 5:35 pm

The VLAN tutorial has the "Router-Switch-AP (all in one)" configuration, see:
viewtopic.php?f=13&t=143620#p706998

The post has a file attached, "RouterSwitchAP.rsc".
That file has the following code snippet:
# Blue VLAN interface creation, IP assignment, and DHCP service
# ... <omitted for clarity>
/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1

# Green VLAN interface creation, IP assignment, and DHCP service
# ... <omitted for clarity>
/ip dhcp-server network add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1

# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature for an admin.
# ... <omitted for clarity>
# /ip dhcp-server network add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
Notice that the "dns-server" option is identical in all VLANs and equals to the IP address of "BASE_VLAN" (which is the management VLAN).


I have two questions about it:


1. Why would non-management VLANs need to access the management VLAN just for DNS service?

2. Is it Ok to have each VLAN to refer to its own IP address?
Meaning, is it Ok to change the "dns-server" to this:
# Blue VLAN interface creation, IP assignment, and DHCP service
# ... <omitted for clarity>
/ip dhcp-server network add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1

# Green VLAN interface creation, IP assignment, and DHCP service
# ... <omitted for clarity>
/ip dhcp-server network add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1

# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature for an admin.
# ... <omitted for clarity>
# /ip dhcp-server network add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: dns-server IP in VLAN tutorial

Fri Mar 24, 2023 5:52 pm

Well, you'll have to forgive me for doing that. What I show works, naturally because we are dealing with a Router/Firewall device that has full control of everything and we are in total control of the hardware. There is a firewall rule ensuring it works. It would be proper, or maybe I should say, more clearly defined if DNS always pointed to the route out for each VLAN, as you ask about 10.0.10.1, 10.0.20.1, etc. That is a perfectly acceptable, maybe even proper, answer.

But, why did I not do that? At the time I thought it would make for faster DNS queries that are occurring from everything in the environment. However, this is a totally untested theory I'm not prepared to defend or care about. I did not fully research that concept at the time to think about what it should be. I knew that MGMT (Base Vlan) used DNS (ntp coming from APs and switches) and because I often force any DNS queries in the environment to use the Router/DNS running instance, I had the untested notion that maybe this was "faster" if everything was direct, less hops, etc.

Some people use their own DNS servers or even Public DNS (9.9.9.9) and so you've got a nod to that here as well.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: dns-server IP in VLAN tutorial

Fri Mar 24, 2023 5:59 pm

Less firewall rules are better. And the DNS server does listen on all interfaces.
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: dns-server IP in VLAN tutorial

Fri Mar 24, 2023 6:15 pm

force any DNS queries in the environment to use the Router/DNS running instance

Following up to myself here. In the VLAN examples, I don't show this concept, but made arrangements for it because when doing so I thought it easier, faster to use one ip address in a mangle rule vs accounting for all ip address schemes in use. Anyway, its a concept and thought that is outside of the VLAN articles and that's why it confusing.

If you really want to redirect DNS queries in your environment, it might make more sense to do what I've shown.
 
moveik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Tue Nov 24, 2020 1:16 am

Re: dns-server IP in VLAN tutorial

Fri Mar 24, 2023 6:35 pm

Well, you'll have to forgive me for doing that. What I show works, naturally because we are dealing with a Router/Firewall device that has full control of everything and we are in total control of the hardware. There is a firewall rule ensuring it works.
No worries (:
I'm here to study from the wiser.

Which firewall rules ensures that it works?
Assuming that "Green VLAN" (10.0.20.0/24) wants DNS service, then it needs to access BASE_VLAN (192.168.0.0/24).
These are distinct networks, thus the packet would go through the "forward" chain.
The file "RouterSwitchAP.rsc" has the following firewall rules which are associated to "forward" chain:
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop"
Though nothing seems to match the packet (aside of the last rule which drops it).


It would be proper, or maybe I should say, more clearly defined if DNS always pointed to the route out for each VLAN, as you ask about 10.0.10.1, 10.0.20.1, etc. That is a perfectly acceptable, maybe even proper, answer.
Great!
Then I prefer to leave the "dns-server" in the same network for each VLAN.
(e.g. "Green VLAN" has "dns-server"=10.0.20.1 etc.)


But, why did I not do that? At the time I thought it would make for faster DNS queries that are occurring from everything in the environment. However, this is a totally untested theory I'm not prepared to defend or care about. I did not fully research that concept at the time to think about what it should be. I knew that MGMT (Base Vlan) used DNS (ntp coming from APs and switches) and because I often force any DNS queries in the environment to use the Router/DNS running instance, I had the untested notion that maybe this was "faster" if everything was direct, less hops, etc.
I thought that if a packet needs to get to another network, then it probably adds more hops (i.e. isn't direct), no?
To me it seems that if I set the "dns-server" to the same network, then it would be direct because packet would go through "input" chain immediately instead of being routed to the management VLAN network and later to the "input" chain.

Some people use their own DNS servers or even Public DNS (9.9.9.9) and so you've got a nod to that here as well.
"Their own DNS servers" probably still fetch the DNS data either from ISP's DNS server or global DNS servers like 9.9.9.9 which you noted.
I don't know whether these global DNS servers are fast.
Though we can always periodically sample them with a script.

Less firewall rules are better. And the DNS server does listen on all interfaces.
Great!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: dns-server IP in VLAN tutorial

Fri Mar 24, 2023 6:44 pm

No need to dissect the VLAN config oriented approach for your focused firewall questions.
Its simple,

ONLY the ADMIN needs access TO THE ROUTER for config.
Users ONLY need access to ROUTER SERVICES>

CAPICHE?

How you want to set that up for your own device is up to you.
A simple approach that works is:

add action=accept chain=input in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input in-interface-list=LAN dst-port=53,123 protocol=udp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: dns-server IP in VLAN tutorial

Fri Mar 24, 2023 6:56 pm

"Their own DNS servers" probably still fetch the DNS data either from ISP's DNS server or global DNS servers like 9.9.9.9 which you noted.
Just to complete the DNS options, if the desire is for DHCP clients to use public/ISP DNS directly...
leaving the DHCP servers empty (e.g. not setting anything), will cause DHCP to use the servers that are configured in /ip/dns to be return to DHCP clients. This allows you set DNS servers in one place, but be used by any DHCP Server that has network with the DNS field blank. And depending on if the DNS "allow remote connection" is enabled/disabled, the DHCP client will include/exclude the router's IP automatically.

I would NOT put in this "recommended" track, but it's another option in the VLAN DNS topic. Devices/clients do actually cache DNS as well, now doesn't help with a large LAN but a few devices's directly doing DNS is not going to effect a high-bandwidth connection... Also sometimes end-user devices do their own DoH, etc. anyway and ignore the DHCP-provided DNS ones, so you can't really count on that ALL DNS will go through the router – likely why the DNS redirection stuff is NOT in @pcunite's guide ;).
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: dns-server IP in VLAN tutorial

Fri Mar 24, 2023 6:57 pm

No need to dissect the VLAN config oriented approach for your focused firewall questions.
But you don't need those rules is the idea if each VLAN uses it VLAN's router IP.
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: dns-server IP in VLAN tutorial

Sat Mar 25, 2023 12:24 am

Which firewall rules ensures that it works? ... These are distinct networks, thus the packet would go through the "forward" chain.

Actually, any packet intended for the router itself, (stated here as entering the router) must involve the input chain. Therefore the appropriate rule appears in the examples as the second input rule:

# Allow VLANs to access router services like DNS, etc.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"


Note that firewall rules in the article series are secondary to illustrating the VLAN concept. So, while they are fully functional they are not meant to explain all firewalling concepts one might need. The rule shown restricts DNS to anything coming from a VLAN interface. So, you could use any ip address that is configured on them, and that rule will allow it.
 
moveik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Tue Nov 24, 2020 1:16 am

Re: dns-server IP in VLAN tutorial

Sat Mar 25, 2023 3:16 pm

No need to dissect the VLAN config oriented approach for your focused firewall questions.
Its simple,

ONLY the ADMIN needs access TO THE ROUTER for config.
Users ONLY need access to ROUTER SERVICES>

CAPICHE?

How you want to set that up for your own device is up to you.
A simple approach that works is:

add action=accept chain=input in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input in-interface-list=LAN dst-port=53,123 protocol=udp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input
Crystal clear 👍
No need to dissect the VLAN config oriented approach for your focused firewall questions.
But you don't need those rules is the idea if each VLAN uses it VLAN's router IP.
Yes
Which firewall rules ensures that it works? ... These are distinct networks, thus the packet would go through the "forward" chain.

Actually, any packet intended for the router itself, (stated here as entering the router) must involve the input chain. Therefore the appropriate rule appears in the examples as the second input rule:

# Allow VLANs to access router services like DNS, etc.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"


Note that firewall rules in the article series are secondary to illustrating the VLAN concept. So, while they are fully functional they are not meant to explain all firewalling concepts one might need. The rule shown restricts DNS to anything coming from a VLAN interface. So, you could use any ip address that is configured on them, and that rule will allow it.
Right.
I notice that if either if the Router interfaces is in the destination of the IP packet, then the packet goes through the "input" chain.
That includes the scenario which I described earlier, i.e.:
Assuming that "Green VLAN" (10.0.20.0/24) wants DNS service, then it needs to access BASE_VLAN (192.168.0.0/24).
Because that a DNS packet from "Green VLAN" will have destination 192.168.0.1, which is the interface of "BASE_VLAN", which is the interface of the router.
So, in contrary to my initial belief, the packet actually goes through the "input" chain (and not through the "forward" chain).

I prefer to avoid any usage with IP addresses.
If I use IP addresses in firewall rules, it would make my configs less robust.
A better approach in my opinion is to use VLAN interfaces names.
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: dns-server IP in VLAN tutorial

Sat Mar 25, 2023 3:42 pm

I prefer to avoid any usage with IP addresses. If I use IP addresses in firewall rules, it would make my configs less robust. A better approach in my opinion is to use VLAN interfaces names.

Absolutely, if possible.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: dns-server IP in VLAN tutorial

Sat Mar 25, 2023 5:01 pm

So, in contrary to my initial belief, the packet actually goes through the "input" chain (and not through the "forward" chain).
That's true – and I was mistaken in saying 0 rules, I forgot the context. All of the ports that the router "listens on" go through "input", including DNS (and /ip/services etc).

Who is online

Users browsing this forum: No registered users and 32 guests