DNS issue after upgrade

randomname · Sat Jul 15, 2023 1:22 pm

Hello,

Yesterday I upgraded a Mikrotik router from version 7.6 to 7.10.2. After that, the DNS no longer works on the network somehow. Never had any problems in the past so I think my original setup was fine. I'm trying to figure out the problem now, but I don't see what's going wrong. If anyone has any tips on how to troubleshoot further or sees the solution that would be great!

Via DHCP I first give all clients the IP of my AdGuard and as a second DNS server the IP of the Mikrotik router as a backup when the AdGuard server fails.

From clients in the network I can still use all services internally in the network perfectly. When I do a curl request to https://1.0.0.1 it just works. Pinging to external IPs also works smoothly. However, with dig I cannot resolve any DNS requests (Mikrotik DNS, Internal Adguard DNS, external DNS servers).

I've added a firewall rule to make sure port 53 isn't blocked but this doesn't seem to be the problem. (The rule has already accepted more than 150,000 packets since yesterday and sees it constantly rising).

I've tested the DNS from an Ubuntu client like this:

user@client:~$ dig @192.168.88.1 google.com
;; communications error to 192.168.88.1#53: timed out
;; communications error to 192.168.88.1#53: timed out
;; communications error to 192.168.88.1#53: timed out

; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> @192.168.88.1 google.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached

user@client:~$ dig @192.168.88.100 google.com
;; communications error to 192.168.88.100#53: timed out
;; communications error to 192.168.88.100#53: timed out
;; communications error to 192.168.88.100#53: timed out

; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> @192.168.88.100 google.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached

user@client:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=31.3 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=15.0 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=58 time=13.9 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=58 time=12.8 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=58 time=13.9 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=58 time=12.0 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=58 time=15.6 ms
64 bytes from 8.8.8.8: icmp_seq=8 ttl=58 time=13.1 ms
^C
--- 8.8.8.8 ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 7010ms
rtt min/avg/max/mdev = 11.984/15.941/31.314/5.910 ms
user@client:~$ dig @8.8.8.8 google.com
;; communications error to 8.8.8.8#53: timed out
;; communications error to 8.8.8.8#53: timed out
;; communications error to 8.8.8.8#53: timed out

; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached

user@client:~$ curl https://1.0.0.1
<!DOCTYPE html><html theme="light" lang="en-US" prefix="og: http://ogp.me/ns#"><head><meta charset="utf-8"><title>1.1.1.1 — The free app that makes your Internet faster.</title>

Some of the relevant Mikrotik configuration I guess (only showing first three firewall rules) Rule 1 I've created for testing purposes and accepted already a lot of packages)

/ip/firewall/filter print 
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    chain=forward action=accept protocol=udp src-address=192.168.88.0/24 dst-port=53 log=no log-prefix="" 

 2    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 
      
      
/ip/dns print             
                      servers: 8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
              dynamic-servers: 195.130.130.4,195.130.131.4
               use-doh-server: 
              verify-doh-cert: no
   doh-max-server-connections: 5
   doh-max-concurrent-queries: 50
                  doh-timeout: 5s
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1w
      address-list-extra-time: 0s
                   cache-used: 35KiB

randomname · Sat Jul 15, 2023 1:59 pm

I've found out about the problem:

/ip/firewall/nat print    
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

 1 X  ;;; Force internal DNS
      chain=dstnat action=dst-nat to-addresses=192.168.88.100 to-ports=53 protocol=udp in-interface-list=LAN dst-port=53 log=no log-prefix="" 

 2 X  ;;; Force internal DNS
      chain=dstnat action=dst-nat to-addresses=192.168.88.100 to-ports=53 protocol=tcp in-interface-list=LAN dst-port=53 log=no log-prefix=""

I had following dst-nat rules to force the usage of my Adguard DNS server. However I'm not sure how it's possible that this worked in the past and now stopped working. I guess the issue is that the Adguard DNS requests are also natted to it's own ip address.

erich408 · Sun Jul 16, 2023 8:52 pm

there's definitely an issue. I updated my CRS312-4c+8xg from 7.10 to 7.10.2, and now the router count look for updates. I'm just using it as a switch (everything bridged) but for future updates I'm going to have to probably load by hand, as "check for updates" times out now. nothing else changed besides 7.10->7.10.2

edit: I tried flushing the DNS cache on the switch and now searches work again :/

Ddram · Mon Jul 17, 2023 8:28 pm

Same problem here. Updated from 7.10(stable) to 7.10.2 on friday. since then, after 24h reconnect from ISP no DNS resolving works. I use a script to update dyndns address after reconnect (returns no ip), local pihole only gets "bogus" replys, but ping of IPs works as expected.

Same forced DNS rules in my config have been working without a problem for months (or years).

Will try DNS cache flush next time to see if that could be a workaround.

apestalménos1 · Tue Jul 18, 2023 2:48 am

I got this suspicious problem after upgrading to 7.9:

After upgrading to 7.9.1(stable) RouterOS reports a memory dns, error of "DoH server connection error: resolving error". ip dns print shows that I am not using a doh-server, and I am not verifying doh-certificates. No DNS servers are listed (static or otherwise). The were no DNS servers assigned before the upgrade. Yet, RouterOS continues to report errors. Why would RouterOS be trying to connect to a DoH server when there are none assigned (none on the DHCP Networks either)?

servers:
dynamic-servers:
use-doh-server: no
verify-doh-cert: no
doh-max-server-connections: 5
doh-max-concurrent-queries: 50
doh-timeout: 5s
allow-remote-requests: no
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 30
cache-size: 512KiB
cache-max-ttl: 30m
cache-used: 28KiB

Ddram · Sun Jul 23, 2023 12:27 pm

It worked for about two days with reconnects in the night, at the third reconnect the DNS resolution doesn't work anymore. Tried to flush DNS cache this time but that didn't help.

Rebooting the Rb4011 brought DNS resolving back.

I downgrade to 7.10. if the Problem exists there, i'll go back to 7.9. Taht version was running a few weeks without a problem.

allarmsllc · Mon Jul 24, 2023 6:39 pm

It worked for about two days with reconnects in the night, at the third reconnect the DNS resolution doesn't work anymore. Tried to flush DNS cache this time but that didn't help.

Rebooting the Rb4011 brought DNS resolving back.

I downgrade to 7.10. if the Problem exists there, i'll go back to 7.9. Taht version was running a few weeks without a problem.

I am so glad I found this post; it describes EXACTLY what I am experiencing. Has your rollback to 7.10 solved the issue so far?

allarmsllc · Mon Jul 24, 2023 8:29 pm

I guess the issue is that the Adguard DNS requests are also natted to it's own ip address.

This could definitely be a thing, you probably just need to add a src-address does not equal your AdGuard server in those rules.

Ddram · Tue Jul 25, 2023 12:21 am

I am so glad I found this post; it describes EXACTLY what I am experiencing. Has your rollback to 7.10 solved the issue so far?

We have to wait a few days to be sure. Until now i have one reconnect passed without problems.

This could definitely be a thing, you probably just need to add a src-address does not equal your AdGuard server in those rules.

My rules have SRC and DST address filtered for own requests from pihole to upstream Servers. So this shouldn't be a problem on my side.

Ddram · Wed Jul 26, 2023 10:27 am

It worked for about two days with reconnects in the night, at the third reconnect the DNS resolution doesn't work anymore. Tried to flush DNS cache this time but that didn't help.

Rebooting the Rb4011 brought DNS resolving back.

I downgrade to 7.10. if the Problem exists there, i'll go back to 7.9. Taht version was running a few weeks without a problem.
I am so glad I found this post; it describes EXACTLY what I am experiencing. Has your rollback to 7.10 solved the issue so far?

With the third reconnect the problem came back. Now i'm in 7.9 and waiting what happens...

Something new on your side?

allarmsllc · Mon Jul 31, 2023 5:50 pm

Something new on your side?

I downgraded to 7.10 on everything and saw an immediate performance improvement. There are no more timeout warning in browsers, but still occasional slow performance. I also was on a different, similar, network setup (multiple vlans, etc) over the weekend which is still on 7.9 and it has none of these problems. So, I might downgrade to 7.9 as well, gonna give it another day or so.

allarmsllc · Mon Jul 31, 2023 8:14 pm

Something new on your side?
I downgraded to 7.10 on everything and saw an immediate performance improvement. There are no more timeout warning in browsers, but still occasional slow performance. I also was on a different, similar, network setup (multiple vlans, etc) over the weekend which is still on 7.9 and it has none of these problems. So, I might downgrade to 7.9 as well, gonna give it another day or so.

Less than 30 minutes after this reply I got a few browser errors, so I went down to 7.9 on everything. I believe Mikrotik broke something in DNS on IPv4 when trying to fix a bug in IPv6 with regard to CVE-2023-32154, it is a fix listed in both 7.9.1 and 7.10.

Ddram · Fri Aug 11, 2023 8:48 pm

Hey there,

I worked my way back from 7.9 to 7.10 with 7 days on 7.9 and 7 on 7.10, for now everything works as excpected. Tomorrow i'll try upgrading to 7.10.2 and have an eye on it.

I had to change my 24h reconnect script a little bit, because i have noticed that my vpn connection (IPSEC to hide.me) didn't terminate like it did before, on pppoe disconnect, so i put a toggle in my script to terminate it while reconnecting.
Since this is the only change i made, my problem seems to be not related to the initial discussion, just similar symptoms.

As you mentioned a performance improvement i can't see any difference on 100/40Mbit line between the different versions, but i notice higher cpu load within 7.10+ versions.

jks81 · Wed Jan 24, 2024 10:55 am

It’s definitely the twilight zone out there, been using MikroTik’s as DNS servers for years… never a problem.

Now it’s like DNS is just dead, even after factory reset with no default config and basic DNS setup.

Does not respond to DNS requests, can’t even resolve via ping etc. from router. Ran packet capture on another device and nothing arrives… bizarre

DNS issue after upgrade

DNS issue after upgrade

Re: DNS issue after upgrade

Re: DNS issue after upgrade

Re: DNS issue after upgrade

Re: DNS issue after upgrade

Re: DNS issue after upgrade

Re: DNS issue after upgrade

Re: DNS issue after upgrade

Re: DNS issue after upgrade

Re: DNS issue after upgrade

Re: DNS issue after upgrade

Re: DNS issue after upgrade

Re: DNS issue after upgrade

Re: DNS issue after upgrade

Who is online