Community discussions

MikroTik App
 
carrotrelative
just joined
Topic Author
Posts: 6
Joined: Mon Sep 19, 2022 3:19 pm

Unwanted IPs when using static dns address-list entries

Mon May 29, 2023 12:39 am

Hi,
I'm doing simple policy based routing to route some traffic through wireguard VPN.
Address list for the routing is generated dynamically using
/ip dns static
add address-list=VPN match-subdomain=yes name=addres.net type=FWD
add address-list=VPN match-subdomain=yes name=another_address.net type=FWD
and then later I'm marking the connection for routing through the wireguard interface.
Also as the
/ip dns static
creates dynamic entries in the address list, I'm saving all the entries from VPN address list into static address list. Without it, the redirection wasn't working in first try when the dynamic entries expired.
Whole firewall mangle looks like this
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=VPN in-interface=bridge new-connection-mark=USE_VPN passthrough=yes src-address-list=local_full
add action=add-dst-to-address-list address-list=VPN_STATIC address-list-timeout=none-static chain=prerouting connection-mark=USE_VPN dst-address-list=VPN
add action=mark-connection chain=prerouting dst-address-list=VPN_STATIC new-connection-mark=USE_VPN passthrough=yes src-address-list=local_full
add action=mark-routing chain=prerouting connection-mark=USE_VPN dst-address-list=VPN new-routing-mark=VPN_TABLE passthrough=no src-address-list=local_full
add action=mark-routing chain=prerouting connection-mark=USE_VPN dst-address-list=VPN_STATIC new-routing-mark=VPN_TABLE passthrough=no src-address-list=local_full
add action=change-mss chain=forward connection-mark=USE_VPN new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
All works great, however it seams like whenever there is some issue with dns request, like internet connection being down, suddenly IPs from non watched domains are starting to appear in my VPN and VPN_STATIC address-lists that should be routed through VPN. E.g.
104.18.26.222
and thats Cloudflare (I'm using 1.1.1.1 as DNS). I had also found there entries for some Microsoft IPs.

I think it happens whenever the is issue with DNS query (e.g. internet down), but I'm not certain. I was wondering if anyone wight have an idea why it is happening and possibly how to prevent that?

the rest of the relevant config is
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=WAN

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/routing table
add disabled=no fib name=VPN_TABLE

/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=192.168.0.0
add address=10.0.0.4 interface=wireguard1 network=10.0.0.0

/ip dhcp-server network
add address=10.0.0.0/24 dns-server=xxx.xxx.xxx.xxx gateway=10.0.0.1
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward in-interface-list=LAN out-interface=wireguard1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes in-interface=!wireguard1 out-interface=!wireguard1
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall address-list
add address=192.168.0.0/24 list=local
add address=10.0.0.0/8 list=local_full
add address=192.168.0.0/16 list=local_full

/ip firewall nat
add action=src-nat chain=srcnat out-interface=wireguard1 to-addresses=10.0.0.4
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src="" routing-table=VPN_TABLE scope=30 suppress-hw-offload=yes target-scope=10
/routing rule
add action=lookup disabled=no interface=wireguard1 routing-mark=VPN_TABLE table=VPN_TABLE

Who is online

Users browsing this forum: GoogleOther [Bot], Knapek, menyarito and 87 guests