Community discussions

MikroTik App
 
Apachez
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Mon Jul 01, 2024 11:45 pm

VRF-support for DNS is broken?

Tue Jul 02, 2024 12:03 am

According to the changelog for 7.15 stable a new feature was finally added to the /ip/dns service in RouterOS:

https://download.mikrotik.com/routeros/7.15/CHANGELOG

*) dns - added VRF support;

However I cant make this to work in 7.15.1 stable nor 7.15.2 stable (or 7.16beta2).

I can verify that the VRF is properly setup along with the routing tables because I can reach the ether1 interface both locally (on the same external switch as ether1 is connected to) as well as being routed through what this VRF is using as its default gateway.

Also outgoing ping and traceroute from the Mikrotik device (CRS326) towards 1.1.1.1 works.

But when I do a DNS-lookup locally I get an error:

/put [:resolve ntp.se]
failure: dns server failure

Same with going to System->Packages in webfig I get:

ERROR: could not resolve dns name (timeout)

The /ip/dns config is pretty straight forward:

/ip dns
set servers=1.1.1.1 vrf=VRF-MGMT

So what am I missing here, have someone in here managed to get the VRF-support for /ip/dns to be working?
 
Apachez
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Mon Jul 01, 2024 11:45 pm

Re: VRF-support for DNS is broken?

Wed Jul 03, 2024 9:21 pm

Im guessing noone in here are using /ip/dns along with VRF?
 
Apachez
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Mon Jul 01, 2024 11:45 pm

Re: VRF-support for DNS is broken?

Wed Jul 10, 2024 1:43 am

The broken VRF-support för /ip/dns have been confirmed for both CRS326-24S+2Q+ and CRS112-8G-4S using both RouterOS 7.15.2 stable and 7.16beta4 testing.

Anyone in here who managed to get it working on these or some other Mikrotik model?
 
User avatar
vingjfg
Member
Member
Posts: 411
Joined: Fri Oct 20, 2023 1:45 pm

Re: VRF-support for DNS is broken?

Fri Jul 12, 2024 9:17 pm

Interesting - I have a VRF in which I have an interface getting a DHCP address and the DNS, however the DNS is still placed in the main VRF. Probably another bug.
[admin@router4] > /ip/vrf/print
Flags: X - disabled; * - builtin 
 0    ;;; Front VRF
      name="wan" interfaces=ether7,ether8 

 1  * name="main" interfaces=all 
[admin@router4] > /ip/dhcp-client/print
Columns: INTERFACE, USE-PEER-DNS, ADD-DEFAULT-ROUTE, STATUS, ADDRESS
# INTERFACE  USE-PEER-DNS  ADD-DEFAULT-ROUTE  STATUS  ADDRESS         
0 ether8     yes           yes                bound   192.168.2.238/24
[admin@router4] > /ip/dns/print
                      servers: 
              dynamic-servers: 192.168.2.1
               use-doh-server: 
              verify-doh-cert: no
   doh-max-server-connections: 5
   doh-max-concurrent-queries: 50
                  doh-timeout: 5s
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1w
      address-list-extra-time: 0s
                          vrf: main
                   cache-used: 41KiB
Setting manually the DNS seems to work.
[admin@router4] > /ip/dns/set vrf=wan servers=192.168.2.1
[admin@router4] > /ip/dns/print                          
                      servers: 192.168.2.1
              dynamic-servers: 
               use-doh-server: 
              verify-doh-cert: no
   doh-max-server-connections: 5
   doh-max-concurrent-queries: 50
                  doh-timeout: 5s
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1w
      address-list-extra-time: 0s
                          vrf: wan
                   cache-used: 42KiB
[admin@router4] > :resolve www.yahoo.fr
[admin@router4] > put [ :resolve www.yahoo.fr ]
13.248.158.7
[admin@router4] > put [ :resolve mikrotik.com ]              
159.148.172.205
[admin@router4] > /put [:resolve ntp.se]
194.58.200.20
Now what doesn't work anymore is using the Mikrotik as a DNS server in the main VRF. Opening a ticket with the support.
 
User avatar
spippan
Member
Member
Posts: 463
Joined: Wed Nov 12, 2014 1:00 pm

Re: VRF-support for DNS is broken?

Wed Jul 31, 2024 11:09 am

exact same problem here on 2 CCR2004-16G-2S+ on latest stable ROSv7.15.3
as soon as DNS is put in a VRF other than "main" resolving gets broken and stops to work, despite VRF routing table is set properly and a "ping vrf=vrfXYZ IP.of.DNS.Srv" is working and shows reachability
created a support ticket SUP-160816
 
Apachez
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Mon Jul 01, 2024 11:45 pm

Re: VRF-support for DNS is broken?

Thu Aug 01, 2024 2:27 am

Thanks!

So then we can hopefully rule out that this would be some kind of misconfiguration on my side.

Question is how the quality assurance works over at Mikrotik or how their config to validate this feature looks like?

I have also filed a support ticket SUP-156966 on 24th of june which gives that it have now passed 1 month and 1 week without any reply from Mikrotik on this issue :-(
 
mtest001
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Mon Oct 18, 2021 12:49 am

Re: VRF-support for DNS is broken?

Tue Aug 13, 2024 11:20 am

SUbscribing to this topic because I think I am suffering from the same bug.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1389
Joined: Tue Jun 23, 2015 2:35 pm

Re: VRF-support for DNS is broken?

Wed Aug 14, 2024 6:31 am

logicly you wouldn't be able to resolve from the main table if the DNS is in the vrf.
 
jasonkack
just joined
Posts: 1
Joined: Tue Aug 20, 2024 8:21 pm

Re: VRF-support for DNS is broken?

Tue Aug 20, 2024 8:25 pm

Im suffering the same issue on CRS310-8G+2S+ router os 7.15.3
I have my ip address in a vrf on a specific management vlan. default route points in that vrf also but when i set dns that i can ping in the vrf from the device and set them in the vrf, i cant resolve anything
 
mtest001
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Mon Oct 18, 2021 12:49 am

Re: VRF-support for DNS is broken?

Tue Sep 03, 2024 11:08 am

I have opened a ticket with the support and they acknowledged the problem...
Currently VRF is supported for incoming DNS requests (if your router is the DNS server and it gets requests on VRF interfaces).
VRF for outgoing requests is not supported yet (your router connects to DNS server from VRF interface), it is in "To do" list.

Unfortunately we cannot give a clear ETA when this feature will be implemented. You will however receive an automated message when this will be fixed.
 
jaclaz
Forum Guru
Forum Guru
Posts: 1981
Joined: Tue Oct 03, 2023 4:21 pm

Re: VRF-support for DNS is broken?

Tue Sep 03, 2024 2:14 pm

Yep, there was a photo posted some time ago, about picture on the box and actual contents, cannot find it right now, but this one will do:
Image
 
CBVista
just joined
Posts: 3
Joined: Tue May 23, 2023 7:00 am

Re: VRF-support for DNS is broken?

Wed Dec 11, 2024 10:51 pm

Logged with support #[SUP-173653]
VRF is supported only for incoming DNS requests (if your router is the DNS server, and it gets requests on VRF interfaces).

VRF for outgoing requests is not supported yet

Unfortunately, giving any ETA for when the feature will be implemented is impossible.

Who is online

Users browsing this forum: deadmaus911, intelvtd and 29 guests