Community discussions

MikroTik App
 
kubotor
just joined
Topic Author
Posts: 11
Joined: Fri Aug 20, 2021 2:14 am

DNS failover for redudancy

Wed Nov 20, 2024 4:53 pm

Hi, Im curious how exactly Mikrotik's DNS implementation works.

Question 1:
In the dhcp server I'm assigning to my clients two DNS servers - are they used 50/50? Or is active/backup setup?
And what will happen when one fails?

Question 2:
Also for a better experience, I would like to provide customers with only a single DNS server which would also their GW to acting like a DNS cache.
In that case, what will happen if I define multiple DNS servers in the DNS cache and one of them will fail? Are they balanced or just active/backup?

I couldn't find a straight answer in the docs.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13055
Joined: Thu Mar 03, 2016 10:23 pm

Re: DNS failover for redudancy

Wed Nov 20, 2024 5:09 pm

1) it entirely depends on DNS clients. But mostly they operate like this: start using first DNS server. As long as replies are getting back (even if negative answers), client will use same DNS server. If DNS server fails to reply, then client switches over to using second DNS server. And keeps using that one until it's replying.
Which means that any configured DNS servers are supposed to hand out identical answers to any question.
I'm not entirely sure that DNS client in ROS acts this way as well but I don't see why it wouldn't.

2) if clients' GW is able to act as caching DNS server, it's IMO fine to set only that GW IP address as DNS server ... assuming that DNS service won't fail unless the whole router fails (in which case none of DNS servers in the universe will be accessible for clients behind that router). But you have to configure DNS service on GW devices with multiple DNS servers (for active/standby redundancy as described above).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22092
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS failover for redudancy

Wed Nov 20, 2024 9:13 pm

Always a good topic to discuss....... I feel like DNS is like one of the key enzymes in the human body!!
Forgetting about static for now to keep it simple.......
To use for pointing out all my wrong assumptions and incorrect thinking and for general discussion.

What I understand.
CASE A: Remote Requests NOT Enabled. DNS-SERVER not assigned on DHCP ( any entry here is meaningless in this not-enabled status )

a. router will pass ISP provided DNS address to LAN devices ( assumes use PEER DNS=yes )

b. router will use identified dynamic servers ( public server ) identified in IP DNS set server=1.1.1.1 internally and pass the result to users. ( assumes peer dns=no )
(the router processes the request, and the public sever IP is not sent directly to the user)

Note: THE DNS-SERVER SETTING itself is useless ( no effect ) UNLESS remote requests are enabled.

CASE B: Remote Requests ENABLED: ( automatically opens up port 53 and router services and activates dns-server setting )
a. The DNS servers entered into dhcp DNS-SERVER are now used by the router and a valid entry is the subnet gateway IP
( assuming here the router uses either peer DNS or a dynamic server or cache to provide answers to users )

b. The DNS servers entered into dhcp DNS-SERVER are now used by the router and for add any identified dynamic dns servers as 1.1.1.1 they are sent directly to the LAN user for its use.

c. DNS SErver entry in DHCP is sent to none --> any entered dynamic servers are not sent directly to the user,
( an we assume in case c, that this entry is here to force the user only to use the Router cache or router to source answer vice being sent directly to a dynamic server ????? )

NOTE: When remote requests are enabled we ensure LAN users (ONLY) have access to dns services on the router input chain firewall rules.


Q1 : When remote requests are NOT enabled, how does the MT device resolve DNS, IF:
and peer DNS is set to NO and there are no dynamic servers?

Now looking at wireguard, DNS rears its ugly head again. Having a good understanding of the above helps!!
A third party provider:
Scenario1. gives one a specific DNS address to use.
OR
Scenario2. does not provide a DNS.

Clearly in case a. it appears that the wg provider expects DNS requests to come through the tunnel.
In case b. it is not so clear and thus HOW TO PROCEED??

I see two USE cases.
(i) Where the user is okay with DNS requests going out the local WAN and then traffic heading out the wireguard tunnel
(issue this is called leaking out the ISP and may or may not be acceptable to the user )

(ii) Where the user wants the DNS requests also to go out the tunnel

WITH THIS IN MInd lets look at Scenario1:
- We should enable remote requests and ensure the DHCP dns-server entry contains only the DNS address provided by third party
- We should identify a separate public server only on IP DNS, this allows the router to go out with initial wireguard handshake.
- We could optionally also drive identified wg subnet(s) via dstnat to proper address...
add chain=dstnat action=dst-nat src-address=subnet dst-port=53 protocol=tcp/udp to-address=3rdParty-DNS-adress

Note1: There is no need for a specific IP router for the DNS address to gateway=wireguard table=main UNLESS, the DNS address is outside the
identified wireguard network.
Note2: A forward chain firewall rule is required to allow subnet users to Wireguard interface.

LOOKING at Scenario 2.
With no DNS identified by the end user, Recommend simply using the Wireguard gateway IP as the DNS address of choice.
For example if assigned wg address is 172.16.0.5 use for DNS address 172.16.0.1 ( as per scenario 1)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

NOW Moving onto the niche BTH functionality, providing an end user with QR code etc............. One of the pertinent config lines is.
client-dns (IP/IPv6 prefix; Default: ) --->Specify when using WireGuard Server as a VPN gateway for peer traffic.

I am assuming this is the MT router telling the client device which DNS address to use.
So the question becomes, in this case. How does this tie into the current IP DNS situation on the MT router.
What should we setup to ensure success?????
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13055
Joined: Thu Mar 03, 2016 10:23 pm

Re: DNS failover for redudancy

Thu Nov 21, 2024 9:27 am

There are a few places where DNS servers are mentioned:
  1. /ip/dns/set servers=<list of IP addresses>
    This one is used for DNS process in router itself to be able to do any queries. If not for other things, it's important to be working for ROS update checks (and downloads). Or anything else that ROS needs to resolve.
    BTW, one can manually set also IPv6 addresses ... regardless the location of this configuration subtree (under /ip which implies IPv4).
  2. /ip/dhcp-server/network
    Part of configuration of DHCP server, which can pass different information (in addition to IP address, subnet mask and GW address) to DHCP clients. Pretty important stuff if dns-server.
    Documentation on DHCP server says (among other things): "By default, if there are no DNS servers configured, then the dynamic DNS Servers will be passed to DHCP clients."
  3. /ip/dhcp/client and /ipv6/dhcp-client
    One of DHCP client properties is use-peer-dns and it causes either to accept dynamic DNS server addresses from DHCP server or not. If they are accepted, then these DNS servers will be used also in bullets above.
  4. /interface/pppoe-client
    Similarly to DHCP client settings also this one has use-peer-dns property with similar effect.
And then there's the /ip/dns/allow-remote-requests, which controls whether DNS service in ROS is available for remote clients or not. Which is a global setting and if one doesn't want to allow internet clients, then appropriate firewall rules have to be in place (default config is OK).

Now, @anav: what was you question in the post above? :wink:
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22092
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS failover for redudancy

Thu Nov 21, 2024 5:05 pm


Now, @anav: what was you question in the post above? :wink:
Oh no question, I was giving you the FACTS, the bible so to speak.
I was hoping for you to state where I was dead wrong........
Apparently, I speak truth. ;-)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13055
Joined: Thu Mar 03, 2016 10:23 pm

Re: DNS failover for redudancy

Thu Nov 21, 2024 11:23 pm

Apparently, I speak truth. ;-)

Don't know about that ... your post was around 244 lines too long for me to even start reading it at full attentiveness.

Who is online

Users browsing this forum: wishnu and 34 guests