Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Local DNS not working on RB5009

Post Reply
 
dexter9889
just joined
Topic Author
Posts: 7
Joined: Sun Apr 02, 2023 5:37 am

Local DNS not working on RB5009

Wed May 03, 2023 4:52 pm

I am trying to replace an existing router (non-Mikrotik) with a Mikrotik RB5009 router. The LAN has been simplified to the minimum hardware required: PC, DNS server, and router with internet connection as illustrated below.
Image
The local DNS has a static IP address. Both routers are configured to provide the IP address of the DNS via DHCP. The RB5009 configuration is the default configuration with minor changes.

The LAN works correctly with the existing router installed.

With the RB5009 installed (existing router removed) on the LAN the following conditions are true:
- DNS resolution no longer works,
- the PC does receive a valid IP address and the DNS IP address via DHCP,
- all devices on the LAN successfully ping each other,
- nmap to the DNS IP reports port 53 open (as expected),
- ping, dig, nslookup and host commands all timeout when provided a domain name (no DNS resolution).

As a newbie to Mikrotik routers, I'm sure I have misconfigured the router, but I have no clue what is wrong. Any help much appreciated!

Below is the terse export of the RB5009 configuration:
Code: Select all
# may/03/2023 03:04:06 by RouterOS 7.8
# model = RB5009UG+S+
/interface bridge add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip pool add name=dhcp ranges=192.168.132.200-192.168.132.254
/ip dhcp-server add address-pool=dhcp interface=bridge name=defconf
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=ether3
/interface bridge port add bridge=bridge comment=defconf interface=ether4
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/interface bridge port add bridge=bridge comment=defconf interface=ether6
/interface bridge port add bridge=bridge comment=defconf interface=ether7
/interface bridge port add bridge=bridge comment=defconf interface=ether8
/interface bridge port add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings set discover-interface-list=none lldp-med-net-policy-vlan=1
/ip settings set tcp-syncookies=yes
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/ip address add address=192.168.132.1/24 comment=defconf interface=bridge network=192.168.132.0
/ip cloud set update-time=no
/ip dhcp-client add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network add address=192.168.132.0/24 comment=defconf dns-server=192.168.132.10 gateway=192.168.132.1 netmask=24
/ip dns set servers=192.168.132.10
/ip dns static add address=192.168.132.1 comment=defconf name=router.lan
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip ssh set always-allow-password-login=yes host-key-size=4096 strong-crypto=yes
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/tool bandwidth-server set enabled=no
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11587
Joined: Thu Mar 03, 2016 10:23 pm

Re: Local DNS not working on RB5009

Wed May 03, 2023 6:02 pm

First thing to verify woukd be to check if DNS server (on LAN host) can resolve anything (by doing recursive resolving job as all decent DNS servers do).
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10216
Joined: Mon Jun 08, 2015 12:09 pm

Re: Local DNS not working on RB5009

Wed May 03, 2023 6:28 pm

And make sure it does not use 192.168.132.1 as the external resolver...
Top
 
dexter9889
just joined
Topic Author
Posts: 7
Joined: Sun Apr 02, 2023 5:37 am

Re: Local DNS not working on RB5009

Thu May 04, 2023 8:20 am

First thing to verify woukd be to check if DNS server (on LAN host) can resolve anything (by doing recursive resolving job as all decent DNS servers do).

Local DNS functions correctly as it has for many years. DNS is unbound on Debian. The RB5009 is being installed into an existing, working network.

With the existing router installed (in the test setup illustrated in my previous post), DNS resolution from the PC via local DNS functions correctly:
Code: Select all
linux@linux~> dig mikrotik.com +trace

; <<>> DiG 9.16.38 <<>> mikrotik.com +trace
;; global options: +cmd
.			35924	IN	NS	l.root-servers.net.
.			35924	IN	NS	m.root-servers.net.
.			35924	IN	NS	a.root-servers.net.
.			35924	IN	NS	b.root-servers.net.
.			35924	IN	NS	c.root-servers.net.
.			35924	IN	NS	d.root-servers.net.
.			35924	IN	NS	e.root-servers.net.
.			35924	IN	NS	f.root-servers.net.
.			35924	IN	NS	g.root-servers.net.
.			35924	IN	NS	h.root-servers.net.
.			35924	IN	NS	i.root-servers.net.
.			35924	IN	NS	j.root-servers.net.
.			35924	IN	NS	k.root-servers.net.
.			35924	IN	RRSIG	NS 8 0 518400 20230516050000 20230503040000 60955 . Qa/Jvd5B6cLO221KHCkEW1sVX6RjiUR3Z9pVSujqqT4Hu+sMTmqsJRlz 7eeHgTml4ULCD5KrmtzQz66lRMw6UADFGtLBxUnDOL0WJNOJXbmO6y59 XWQ8CWK/lkyY1z6sEx4P7mt8hQDSBxnnH55qiNNz9gvQVbr2hFsZtuTe SrN4I9F9nzQBy+K1GJhfDuG7AArQOiSpwJHcMyl9GwWrFLoF2nUhd16K PFsFRpfUKafdFQSw9muIL8puoQ9vjT76aTPotb28uiCBiy4WTTaDjWf9 jj7OAXkk3jCLFFSZ2MvznGEERY1yxOU+hAbRuknNXnGR3Kq2B3/Z+B3h dqH2Jw==
;; Received 525 bytes from 10.0.1.1#53(10.0.1.1) in 3 ms

com.			172800	IN	NS	a.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	e.gtld-servers.net.
com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	g.gtld-servers.net.
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.
com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.
com.			172800	IN	NS	m.gtld-servers.net.
com.			86400	IN	DS	30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.			86400	IN	RRSIG	DS 8 1 86400 20230516210000 20230503200000 60955 . Mk0sfBTNtQDUaDwdSQjDpul2I6mHbsHVIx0mU/3/H2nZ8FxiUquvrnKc cZQH522BqFRXrwJzwd1M8px5Q63SsKmQIBqHHOG6Y4iR+VW789Dl5iH4 JvucsoXJLfCl3LJaXfDh5TAaHiL/EPOzHiZ4Y1HccTKHFv93ITg2xQ1h w070At0gi8okfdcgmtTuLOMxQqfOaMMLMAvyXX1Feo0NEKErpOJKhOLS BBWo1aFnNyZZdj/VAaTPZHzX3IsBjnH1ew5QjlYft+r8HoiVJ/oUmv5p r+3RzAFH9EMV5nV/Pd4mgyOD5P0vATPphIZijWYP7P5Rnm3z9259r3nx 1w4/Ug==
;; Received 1172 bytes from 199.7.91.13#53(d.root-servers.net) in 15 ms

mikrotik.com.		172800	IN	NS	moon.mt.lv.
mikrotik.com.		172800	IN	NS	mimas.mt.lv.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q2D6NI4I7EQH8NA30NS61O48UL8G5 NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20230510042250 20230503031250 46551 com. HpyzWqBzY2A8rDtxpNm9P8eNu0iT0E37qgJDloItgnV9N5mb3gDNieR9 3gP94NltHonAOe32HxaBwCRT22XPyftxDpY/syq7Ea9av4tKAtb2N3xi hzGmQ7GVC3otNYqLbF+EL+6aF6MieJajWvNu38Vv5/w+8KQ9Srt9jHbq 7uwUJHIalX9XbITrGLn8i9HDYuLp/HlyiI06lUS0a9+KPQ==
3FOUKEED77UGEG8AHNGAFK1FUFUPMQ06.com. 86400 IN NSEC3 1 1 0 - 3FOUU9LPPGEGSI7P8R7H95F5LP89HLH7 NS DS RRSIG
3FOUKEED77UGEG8AHNGAFK1FUFUPMQ06.com. 86400 IN RRSIG NSEC3 8 2 86400 20230508054543 20230501043543 46551 com. L1EmO/27HHG8DNV72yU/yRVzMovafeWA7xlplR4befG25Nej5JbHRBa+ z+KKqRV/x7C5haee9XlXnG3h3UJGCtMN6+NfsdOkjFqfzVD+joyByMs6 4pIL+yeG5YzlcSCmqtXJ3RVKnQRIqWH5cK9ZNdDZpRcnvdsRHRhlMKrq aIuqpPx39ZDvG2KPU0zH785rLIpAQqk/vtTaEpgl+n+L9g==
;; Received 634 bytes from 192.5.6.30#53(a.gtld-servers.net) in 15 ms

mikrotik.com.		3600	IN	A	159.148.172.205
mikrotik.com.		3600	IN	NS	mimas.mt.lv.
mikrotik.com.		3600	IN	NS	moon.mt.lv.
;; Received 129 bytes from 159.148.172.194#53(mimas.mt.lv) in 115 ms

Removing the existing router and installing the RB5009 then DNS fails. As shown below, from the PC I can successfully ping DNS, however, DNS resolution fails:
Code: Select all
linux@linux~> ping 192.168.132.10
PING 192.168.132.10 (192.168.132.10) 56(84) bytes of data.
64 bytes from 192.168.132.10: icmp_seq=1 ttl=64 time=0.436 ms
64 bytes from 192.168.132.10: icmp_seq=2 ttl=64 time=0.174 ms
64 bytes from 192.168.132.10: icmp_seq=3 ttl=64 time=0.171 ms
64 bytes from 192.168.132.10: icmp_seq=4 ttl=64 time=0.169 ms
^C
--- 192.168.132.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3067ms
rtt min/avg/max/mdev = 0.169/0.237/0.436/0.114 ms
linux@linux~> dig mikrotik.com +trace

; <<>> DiG 9.16.38 <<>> mikrotik.com +trace
;; global options: +cmd
;; connection timed out; no servers could be reached

With the RB5009 installed, from the DNS machine DNS resolution works since the DNS request is internal to the DNS machine and never reaches the LAN. The ICMP packets obviously reach the internet, i.e., the RB5009 is routing:
Code: Select all
dns@dns:~ $ ping google.com
PING google.com (142.250.189.110) 56(84) bytes of data.
64 bytes from atl26s29-in-f14.1e100.net (142.250.189.110): icmp_seq=1 ttl=115 time=2.78 ms
64 bytes from atl26s29-in-f14.1e100.net (142.250.189.110): icmp_seq=2 ttl=115 time=2.91 ms
64 bytes from atl26s29-in-f14.1e100.net (142.250.189.110): icmp_seq=3 ttl=115 time=2.95 ms
64 bytes from atl26s29-in-f14.1e100.net (142.250.189.110): icmp_seq=4 ttl=115 time=3.16 ms
^C
--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 2.783/2.948/3.156/0.134 ms

It appears the RB5009 is filtering DNS packets but I don't see why.
Top
 
dexter9889
just joined
Topic Author
Posts: 7
Joined: Sun Apr 02, 2023 5:37 am

Re: Local DNS not working on RB5009

Thu May 04, 2023 8:25 am

And make sure it does not use 192.168.132.1 as the external resolver...

Sorry, I don't understand the context here. Who is "it"...PC, DNS or router?
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11587
Joined: Thu Mar 03, 2016 10:23 pm

Re: Local DNS not working on RB5009

Thu May 04, 2023 12:02 pm

Can dig, run on dns server, resolve anything when using external resolver as server? E.g.
Code: Select all
dig mikrotik.com @1.1.1.1 +trace

Similarly, when run on dns server, what does
Code: Select all
tcptraceroute 1.1.1.1 53
show? Does it go out via ISP and reaches one.one.one.one or it gets stuck somewhere?
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11587
Joined: Thu Mar 03, 2016 10:23 pm

Re: Local DNS not working on RB5009

Thu May 04, 2023 12:07 pm

And make sure it does not use 192.168.132.1 as the external resolver...

Sorry, I don't understand the context here. Who is "it"...PC, DNS or router?
DNS server has to be configured either to use some external (in sense: external to your LAN including router) recursive resolver ... or it has to be configured as full recursiver resolver without referencin any forwarder.
PC (and router) can be configured to use your DNS server as ... well, DNS server.
Top
 
dexter9889
just joined
Topic Author
Posts: 7
Joined: Sun Apr 02, 2023 5:37 am

Re: Local DNS not working on RB5009

Fri May 05, 2023 2:36 am

Problem resolved and it is NOT the RB5009. We formerlly had a contractor doing our network maintenance who implemented an undocumented "security feature" on the DNS that blocks unknown router and switch hardware access but does not care about PCs, cell phones, APs, IoT and so on...pretty lame "security feature". Since the DNS did not have an authorization for the RB5009, DNS requests were blocked. Anyhow, removed the package from the DNS and all is well.

Thanks much to those who took their time to reply!
Top
 
dexter9889
just joined
Topic Author
Posts: 7
Joined: Sun Apr 02, 2023 5:37 am

Re: Local DNS not working on RB5009

Fri May 05, 2023 2:43 am




Sorry, I don't understand the context here. Who is "it"...PC, DNS or router?
DNS server has to be configured either to use some external (in sense: external to your LAN including router) recursive resolver ... or it has to be configured as full recursiver resolver without referencin any forwarder.
PC (and router) can be configured to use your DNS server as ... well, DNS server.
Got it. The DNS is a frestanding, full recursive resolver to the root servers...unbound DNS running on Debian. Only needs an internet connection.
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Lupin and 27 guests
  4. RouterOS
  5. Beginner Basics