Community discussions

MikroTik App
 
jfernandezr
just joined
Topic Author
Posts: 11
Joined: Wed Apr 12, 2023 11:14 am

Static DNS FWD entries using DoH not working

Wed Apr 12, 2023 11:29 am

Hi all

I’m using RouterOS v7.8 on a RB750Gr3 revision r4.

I have a DNS setup where I use a static mapping of some of my network components with A records, and also the following FWD one so that I can resolve the container addresses on LXD. The LXD host is 10.246.119.1.

Regexp / Type / Value
.*\.lxd$   FWD   10.246.119.1

So, if I ask the Mikrotik router for test.lxd, I get the correct DNS answer of 10.246.119.whatever.

This setup works correctly until I enable DNS over HTTPS. It seems that enabling it does not honor the static FWD entries. It works though with A entries with regular expressions, but it ignores FWD entries. I cannot tell if it’s trying to perform a DoH request to the LXD host.

Is that an undesired effect, or is it expected and following the protocol? Is there a solution, besides disabling DoH?

Thanks!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Static DNS FWD entries using DoH not working

Wed Apr 12, 2023 11:43 am

The 10.246.119.1 have one valid certificate from one trusted CA?

If not, all the security of DoH go away.... so DoH is useless...
 
jfernandezr
just joined
Topic Author
Posts: 11
Joined: Wed Apr 12, 2023 11:14 am

Re: Static DNS FWD entries using DoH not working

Wed Apr 12, 2023 5:10 pm

The 10.246.119.1 is not serving DNS requests by DoH, as this is an internal server exposing DNS resolving by LXD.

So I guess you're saying that if DoH is enabled, then all FWD servers should use DoH, even if they are internal to the LAN, is that correct?

Thanks!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Static DNS FWD entries using DoH not working

Wed Apr 12, 2023 5:13 pm

What I mean is that if you use a DoH server, which by itself is designed to make only secure requests,
it is normal that the request can not be delegated/forwarded to another general server.
Last edited by rextended on Wed Apr 12, 2023 5:14 pm, edited 1 time in total.
 
jfernandezr
just joined
Topic Author
Posts: 11
Joined: Wed Apr 12, 2023 11:14 am

Re: Static DNS FWD entries using DoH not working  [SOLVED]

Wed Apr 12, 2023 5:14 pm

I'm answering myself to this issue.

"Currently, DoH is not compatible with FWD-type static entries, in order to utilize FWD entries, DoH must not be configured."

https://help.mikrotik.com/docs/display/ROS/DNS

Is this an open issue that would be addressed in the future?

Thanks!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Static DNS FWD entries using DoH not working

Wed Apr 12, 2023 5:15 pm

The DoH is not born to get circumvented on this way, if something is doed about delegate to unsecurred standard dns server, probably this go out of the specs.
 
jfernandezr
just joined
Topic Author
Posts: 11
Joined: Wed Apr 12, 2023 11:14 am

Re: Static DNS FWD entries using DoH not working

Wed Apr 12, 2023 5:30 pm

I really do not think this as a circunvention.

I can easily see the case that someone deploys a network with a DoH resolver by default and wants to forward requests to an Active Directory domain to the AD/SMB server. Or, like in my case, to have a host of containers with its own private network and a resolver for the container addresses so that any computer on the LAN can get its address from.

DoH is working from the router to the DoH server, but in the LAN the requests are done by plain DNS port 53 to the router. So, all hosts in the network are by default subject to MitM attacks from another computer in the network, even if configuring DoH on the router. The only way that a client would be secured in the LAN is if it configures its own DoH resolver manually, as there is not any DHCP option to send the client leases with DoH options (AFAIK).

I would love this FWD feature to work, as I just do not want third eyes eavesdropping my traffic at ISP level. And it would also be very nice if we could set a specific DoH resolver to a DHCP network, so we can have different DoH resolvers depending on the client VLAN. I'm thinking about the three dns0.eu resolvers, so I could use the most restrictive one to the guest network.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Static DNS FWD entries using DoH not working

Wed Apr 12, 2023 5:37 pm

DoH was designed to avoid any instances of interference, so talking about DoH being provided via DHCP makes absolutely no sense.
The DoH must be specified in the application, not at the NIC/driver/OS level, otherwise DHCP (or an attack) could deliver a corrupt DoH server, etc.

Regarding the forward, if you tell the routerboard to use a secure server, only itself or a certified server can give answers.
Delegating these responses to something else (especially without a certificate issued by trusted authorities, and not "self-signed") makes no sense.
 
jfernandezr
just joined
Topic Author
Posts: 11
Joined: Wed Apr 12, 2023 11:14 am

Re: Static DNS FWD entries using DoH not working

Wed Apr 12, 2023 5:46 pm

I see, so no DoH for corporate networks then.

Thanks!
 
User avatar
shalak
newbie
Posts: 41
Joined: Sat Aug 24, 2019 11:47 am

Re: Static DNS FWD entries using DoH not working

Wed Apr 12, 2023 7:23 pm

Regarding the forward, if you tell the routerboard to use a secure server, only itself or a certified server can give answers.
Delegating these responses to something else (especially without a certificate issued by trusted authorities, and not "self-signed") makes no sense.

I'm not following this all-or-nothing logic. I want to use a public DoH for almost everything, but my local DNS for specific (regexp-matched), local domains.

I hope Mikrotik will revisit this idea. After all they do say "Currently, DoH is not compatible with FWD-type static entries..."
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Static DNS FWD entries using DoH not working

Sat Apr 15, 2023 10:32 am

It has been that way since DoH and FWD (one of them was just one release ahead iirc) were introduced. I noticed this a lot of times in release threads and other topics. Not sure I had an issue about it. Nothing has changed since then.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Static DNS FWD entries using DoH not working

Sat Apr 15, 2023 11:17 am

I fully agree that DoH should have been implemented as "just another external resolver" that you can combine with normal resolvers, static records, FWD etc.
The RouterOS DNS resolver would get the query, and first look it up in local cache, local records, forward when indicated, and only when it needs to consult an external resolver it would see the DoH config and use that.
But it has not been implemented like that.

And of course, when you really need to use DoH or DoT it should be done from the APPLICATION needing DNS (e.g. the browser), not some service in either the client computer or the router. That mostly makes it useless.
And of course, DoH and DoT are not compatible with split DNS. When you still have local DNS services that serve your own local space you will be slowly getting more and more trouble in the changing world of internet, cloud applications, etc.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Static DNS FWD entries using DoH not working

Sat Apr 15, 2023 1:03 pm

 
hex
just joined
Posts: 9
Joined: Wed Nov 10, 2010 4:32 am

Re: Static DNS FWD entries using DoH not working

Tue May 09, 2023 7:48 pm

DoH is just used between mikrotik and Internet, not everywhere.
So I don't see any logical answer why it can't be combined with FWD unless it's internal architecture limitation.
It would be nice to have answer from Mikrotik will this be fixed in the future.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Static DNS FWD entries using DoH not working

Wed May 10, 2023 10:31 am

[...] I don't see any logical answer why it can't be combined with FWD [...]
The logical answer is the 2nd part of post #8, just read it.

It would be nice to have answer from Mikrotik will this be fixed in the future.
If the DoH delegates responses to an unsecured server, that's not a solution, but it's a hack into how the DoH works, compromising its security.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Static DNS FWD entries using DoH not working

Wed May 10, 2023 1:22 pm

I do not get your argumentation, rextended. What we want is split horizon for DNS, with DoH from upstream. This is not a problem if the delegated name server is in local (trusted) network or available via VPN. So why deny this configuration?

RouterOS is about flexibility. A lot of things can be configured wrong or bad or insecure or whatever. But it is up to the system/network administrator, and things can be still valid and usable when done right.
 
gfunkdave
newbie
Posts: 45
Joined: Tue Jan 09, 2018 12:05 am

Re: Static DNS FWD entries using DoH not working

Thu May 25, 2023 5:18 am

I just wanted to chime in and say that I just discovered this is why I couldn't resolve DNS across VPN tunnels. Is there a feature request to enable local/regexp DNS when DoH is enabled?
 
gfunkdave
newbie
Posts: 45
Joined: Tue Jan 09, 2018 12:05 am

Re: Static DNS FWD entries using DoH not working

Wed Oct 11, 2023 5:24 pm

Update: I submitted a feature request for this last week and today Mikrotik replied that if enough people asked for it they would investigate including it in a future release. So everyone please submit a feature request!

https://help.mikrotik.com/servicedesk/servicedesk
 
vovan700i
newbie
Posts: 30
Joined: Wed Jun 06, 2012 8:34 am

Re: Static DNS FWD entries using DoH not working

Thu Oct 12, 2023 11:01 am

@gfunkdave, thank you. It would be nice if they could implement DoH with static FWD entries. Supported the community effort with my SUP-130888.

Who is online

Users browsing this forum: No registered users and 15 guests