I have a RB5009 running 7.15.1. My ISP (AT&T US) uses router advertisements to advertise a DNS server that shows up in the "Dynamic Servers" field of the DNS settings. There doesn't seem to be a way to prevent this.
I have set use-peer-dns=no on all the interfaces under /ipv6/dhcp-client. I have also set advertise-dns=no on all interfaces under /ipv6/nd. There doesn't seem to be a way to make the router ignore this DNS server.
This is a problem for a couple reasons: first, my NextDNS resolvers aren't always used which can allow ads and the like to be resolved. Second, AT&T has a very annoying practice of hijacking DNS queries that result in a NXDOMAIN and forwarding you to a page with ads and "suggested links". I have turned off that "feature" on their website but it still does it.
For a while I had it working by setting an IPv6 NAT rule to NAT all traffic outbound on the WAN port to NextDNS instead, but it stopped working and I don't know why.
Can anyone help me get rid of this dynamic DNS server? I submitted a ticket to Mikrotik months ago but they just said essentially "we might do something about it".
Re: How do you get RouterOS to ignore IPv6-supplied DNS
How does your router obtain the IPv6 address and routes from your ISP?
Note that not everyone will be familiar with the procedures your ISP uses.
When you don't know the technical details, at least show us the output of "/ipv6 export".
Note that not everyone will be familiar with the procedures your ISP uses.
When you don't know the technical details, at least show us the output of "/ipv6 export".
Re: How do you get RouterOS to ignore IPv6-supplied DNS
Hmm. On the RB1100, using AT&T Fiber, I don't show any dynamic addresses in /ip/dns if IPv6 DHCP has it disabled (and if IPv6 DNS is "use peer DNS" checked, AT&T DNS gets added a dynamic, uncheck it get removed). At least in 7.16beta.
Last edited by Amm0 on Thu Jun 27, 2024 7:42 pm, edited 1 time in total.
Re: How do you get RouterOS to ignore IPv6-supplied DNS
It's all SLAAC. There is a bit of a hack because I have two VLANs but AT&T will only give you a /64. But they will give you as many /64s as you ask for, so I use two vrrf interfaces to ask for separate /64s.
Code: Select all
/ipv6 address
add address=fddc::100 advertise=no interface=wireguard1
add address=::1 from-pool=lan-ipv6 interface=vlan-lan
add address=::1 from-pool=guest-ipv6 interface=vlan-guest
/ipv6 dhcp-client
add add-default-route=yes interface=vrrp1 pool-name=lan-ipv6 request=prefix \
use-interface-duid=yes use-peer-dns=no
add add-default-route=yes interface=vrrp2 pool-name=guest-ipv6 request=prefix \
use-interface-duid=yes use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input disabled=yes dst-port=22 protocol=tcp
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept origin Guest VLAN" \
in-interface-list=guest
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 firewall nat
add action=masquerade chain=srcnat comment=\
"NAT masquerade for Wireguard IPv6" src-address=fddc::/64
add action=dst-nat chain=output comment="workaround for AT&T IPv6 DNS" \
dst-address=2600:1700:7c50:3790::1/128 dst-port=53 out-interface-list=WAN \
protocol=udp to-address=2a07:a8c0::f3:8be7/128
add action=dst-nat chain=output dst-address=2600:1700:7c50:3790::1/128 \
dst-port=53 out-interface-list=WAN protocol=tcp to-address=\
2a07:a8c0::f3:8be7/128
/ipv6 nd
set [ find default=yes ] advertise-dns=no interface=vlan-lan ra-interval=\
10s-30s ra-lifetime=5m
add advertise-dns=no interface=vlan-guest ra-interval=10s-30s ra-lifetime=5m
/ipv6 nd prefix default
set preferred-lifetime=30m valid-lifetime=12h
/ipv6 settings
set accept-router-advertisements=yes
Re: How do you get RouterOS to ignore IPv6-supplied DNS
This is what I have whenever IPv6 is enabled:Hmm. On the RB1100, using AT&T Fiber, I don't show any dynamic addresses in /ip/dns if IPv6 DHCP has it disabled (and if IPv6 DNS is "use peer DNS" checked, AT&T DNS gets added a dynamic, uncheck it get removed). At least in 7.16beta.
Code: Select all
[david@RoutyMcRouterson] > /ip/dns print
servers: 45.90.28.118,45.90.30.118
dynamic-servers: 2600:1700:7c50:3790::1
Re: How do you get RouterOS to ignore IPv6-supplied DNS
That does not sound very convenient... can't you enable DHCPv6 and request a prefix with that?It's all SLAAC. There is a bit of a hack because I have two VLANs but AT&T will only give you a /64. But they will give you as many /64s as you ask for, so I use two vrrf interfaces to ask for separate /64s.
If so you can disable SLAAC (DHCPv6 has the option to receive the DNS servers or not)
Re: How do you get RouterOS to ignore IPv6-supplied DNS
IIRC at the moment RouterOS doesn't let you administratively override how it uses received Router Advertisements. Please contact Mikrotik support and make a feature request at https://help.mikrotik.com/servicedesk/servicedesk
Re: How do you get RouterOS to ignore IPv6-supplied DNS
IIRC at the moment RouterOS doesn't let you administratively override how it uses received Router Advertisements. Please contact Mikrotik support and make a feature request at https://help.mikrotik.com/servicedesk/servicedesk
I did. They closed the ticket and said "we'll think about it".
That does not sound very convenient... can't you enable DHCPv6 and request a prefix with that?
If so you can disable SLAAC (DHCPv6 has the option to receive the DNS servers or not)
I am actually not sure how to do that. I confess IPv6 is a bit of an enigma to me. I'm actually not sure what differentiates SLAAC and DHCPv6 in RouterOs. It seems I am using the "dhcp client" already. What needs to change?
Code: Select all
/ipv6 dhcp-client
add add-default-route=yes interface=vrrp1 pool-name=lan-ipv6 request=prefix \
use-interface-duid=yes use-peer-dns=no
add add-default-route=yes interface=vrrp2 pool-name=guest-ipv6 request=prefix \
use-interface-duid=yes use-peer-dns=noRe: How do you get RouterOS to ignore IPv6-supplied DNS
Thought experiment: what if you add a firewall rule that drops the Router Advertisements (ICMPv6, type 134, code 0) from the WAN entirely, instead relying on the DHCPv6 Client option to "Add Default Route"?
I know that ideally the default route should come from the Router Advertisement, and that the "Add Default Route" is but a fallback resource for working with ISPs with broken or no Router Advertisements at all, but this way I think there is a chance of having the IPv6 working without the DNS servers from the ISP.
I know that ideally the default route should come from the Router Advertisement, and that the "Add Default Route" is but a fallback resource for working with ISPs with broken or no Router Advertisements at all, but this way I think there is a chance of having the IPv6 working without the DNS servers from the ISP.
Re: How do you get RouterOS to ignore IPv6-supplied DNS
Thought experiment: what if you add a firewall rule that drops the Router Advertisements (ICMPv6, type 134, code 0) from the WAN entirely, instead relying on the DHCPv6 Client option to "Add Default Route"?
I know that ideally the default route should come from the Router Advertisement, and that the "Add Default Route" is but a fallback resource for working with ISPs with broken or no Router Advertisements at all, but this way I think there is a chance of having the IPv6 working without the DNS servers from the ISP.
You are a genius. I couldn't get it to work by creating a firewall rule but in /ipv6/settings I just set accept-router-advertisements=no and the errant DNS server disappeared. IPv6 connectivity seems unaffected.
Separately, I did get my NAT rule working again. For some reason it had stopped. I re-created it and it once again started natting traffic to the NextDNS server. Must be a bug.