VRF-support for DNS is broken?

Apachez · Tue Jul 02, 2024 12:03 am

According to the changelog for 7.15 stable a new feature was finally added to the /ip/dns service in RouterOS:

https://download.mikrotik.com/routeros/7.15/CHANGELOG

*) dns - added VRF support;

However I cant make this to work in 7.15.1 stable nor 7.15.2 stable (or 7.16beta2).

I can verify that the VRF is properly setup along with the routing tables because I can reach the ether1 interface both locally (on the same external switch as ether1 is connected to) as well as being routed through what this VRF is using as its default gateway.

Also outgoing ping and traceroute from the Mikrotik device (CRS326) towards 1.1.1.1 works.

But when I do a DNS-lookup locally I get an error:

/put [:resolve ntp.se]
failure: dns server failure

Same with going to System->Packages in webfig I get:

ERROR: could not resolve dns name (timeout)

The /ip/dns config is pretty straight forward:

/ip dns
set servers=1.1.1.1 vrf=VRF-MGMT

So what am I missing here, have someone in here managed to get the VRF-support for /ip/dns to be working?

Apachez · Wed Jul 03, 2024 9:21 pm

Im guessing noone in here are using /ip/dns along with VRF?

Apachez · Wed Jul 10, 2024 1:43 am

The broken VRF-support för /ip/dns have been confirmed for both CRS326-24S+2Q+ and CRS112-8G-4S using both RouterOS 7.15.2 stable and 7.16beta4 testing.

Anyone in here who managed to get it working on these or some other Mikrotik model?

vingjfg · Fri Jul 12, 2024 9:17 pm

Interesting - I have a VRF in which I have an interface getting a DHCP address and the DNS, however the DNS is still placed in the main VRF. Probably another bug.

[admin@router4] > /ip/vrf/print
Flags: X - disabled; * - builtin 
 0    ;;; Front VRF
      name="wan" interfaces=ether7,ether8 

 1  * name="main" interfaces=all 
[admin@router4] > /ip/dhcp-client/print
Columns: INTERFACE, USE-PEER-DNS, ADD-DEFAULT-ROUTE, STATUS, ADDRESS
# INTERFACE  USE-PEER-DNS  ADD-DEFAULT-ROUTE  STATUS  ADDRESS         
0 ether8     yes           yes                bound   192.168.2.238/24
[admin@router4] > /ip/dns/print
                      servers: 
              dynamic-servers: 192.168.2.1
               use-doh-server: 
              verify-doh-cert: no
   doh-max-server-connections: 5
   doh-max-concurrent-queries: 50
                  doh-timeout: 5s
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1w
      address-list-extra-time: 0s
                          vrf: main
                   cache-used: 41KiB

Setting manually the DNS seems to work.

[admin@router4] > /ip/dns/set vrf=wan servers=192.168.2.1
[admin@router4] > /ip/dns/print                          
                      servers: 192.168.2.1
              dynamic-servers: 
               use-doh-server: 
              verify-doh-cert: no
   doh-max-server-connections: 5
   doh-max-concurrent-queries: 50
                  doh-timeout: 5s
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1w
      address-list-extra-time: 0s
                          vrf: wan
                   cache-used: 42KiB
[admin@router4] > :resolve www.yahoo.fr
[admin@router4] > put [ :resolve www.yahoo.fr ]
13.248.158.7
[admin@router4] > put [ :resolve mikrotik.com ]              
159.148.172.205
[admin@router4] > /put [:resolve ntp.se]
194.58.200.20

Now what doesn't work anymore is using the Mikrotik as a DNS server in the main VRF. Opening a ticket with the support.

spippan · Wed Jul 31, 2024 11:09 am

exact same problem here on 2 CCR2004-16G-2S+ on latest stable ROSv7.15.3
as soon as DNS is put in a VRF other than "main" resolving gets broken and stops to work, despite VRF routing table is set properly and a "ping vrf=vrfXYZ IP.of.DNS.Srv" is working and shows reachability
created a support ticket SUP-160816

Apachez · Thu Aug 01, 2024 2:27 am

Thanks!

So then we can hopefully rule out that this would be some kind of misconfiguration on my side.

Question is how the quality assurance works over at Mikrotik or how their config to validate this feature looks like?

I have also filed a support ticket SUP-156966 on 24th of june which gives that it have now passed 1 month and 1 week without any reply from Mikrotik on this issue

mtest001 · Tue Aug 13, 2024 11:20 am

SUbscribing to this topic because I think I am suffering from the same bug.

nichky · Wed Aug 14, 2024 6:31 am

logicly you wouldn't be able to resolve from the main table if the DNS is in the vrf.

jasonkack · Tue Aug 20, 2024 8:25 pm

Im suffering the same issue on CRS310-8G+2S+ router os 7.15.3
I have my ip address in a vrf on a specific management vlan. default route points in that vrf also but when i set dns that i can ping in the vrf from the device and set them in the vrf, i cant resolve anything

mtest001 · Tue Sep 03, 2024 11:08 am

I have opened a ticket with the support and they acknowledged the problem...

Currently VRF is supported for incoming DNS requests (if your router is the DNS server and it gets requests on VRF interfaces).
VRF for outgoing requests is not supported yet (your router connects to DNS server from VRF interface), it is in "To do" list.

Unfortunately we cannot give a clear ETA when this feature will be implemented. You will however receive an automated message when this will be fixed.

jaclaz · Tue Sep 03, 2024 2:14 pm

Yep, there was a photo posted some time ago, about picture on the box and actual contents, cannot find it right now, but this one will do:

CBVista · Wed Dec 11, 2024 10:51 pm

Logged with support #[SUP-173653]

VRF is supported only for incoming DNS requests (if your router is the DNS server, and it gets requests on VRF interfaces).

VRF for outgoing requests is not supported yet

Unfortunately, giving any ETA for when the feature will be implemented is impossible.

paulz · Sat Dec 28, 2024 11:47 pm

Hello,

Soo... just barging in..
Can someone please explain below (how it works if possible):
*) dns - added VRF support (CLI only);
(taken from some change-logs of a recent ROS version)

Thanks and regards,
Paul

paulz · Fri Jan 03, 2025 12:13 am

Responding to my own post, it seems that this is no longer CLI only, I think newer Winbox versions matches this option in DNS, ability to select VRF.
Someone please correct me, maybe there is more to it. I would very much like DNS to work on any VRF, not only main or whatever I (single only) select in DNS section.

Regards,
Paul

spippan · Fri Jan 03, 2025 2:52 pm

Responding to my own post, it seems that this is no longer CLI only, I think newer Winbox versions matches this option in DNS, ability to select VRF.
Someone please correct me, maybe there is more to it. I would very much like DNS to work on any VRF, not only main or whatever I (single only) select in DNS section.

Regards,
Paul

hi

DNS is not yet fully VRF aware as i was told by MT support last year (unfortunately i cannot look back into the SUP ticket as of no tickets are shown to me in my account weirdly)
VRF setting here is more to be understand like to tell the DNS service on which VRF it will LISTEN for DNS REQs rather than making upstream requests in that VRF (which is not working up until this day)

infabo · Fri Jan 03, 2025 3:11 pm

As for the ticket system: there is a default filter to show only open issues in the list. you need to change the filter to "any status".

spippan · Fri Jan 03, 2025 3:31 pm

As for the ticket system: there is a default filter to show only open issues in the list. you need to change the filter to "any status".

bummer ... thanks for the hint.

spippan · Fri Jan 03, 2025 3:32 pm

Responding to my own post, it seems that this is no longer CLI only, I think newer Winbox versions matches this option in DNS, ability to select VRF.
Someone please correct me, maybe there is more to it. I would very much like DNS to work on any VRF, not only main or whatever I (single only) select in DNS section.

Regards,
Paul
hi

DNS is not yet fully VRF aware as i was told by MT support last year (unfortunately i cannot look back into the SUP ticket as of no tickets are shown to me in my account weirdly)
VRF setting here is more to be understand like to tell the DNS service on which VRF it will LISTEN for DNS REQs rather than making upstream requests in that VRF (which is not working up until this day)

so here is the last answer i got in SUP-160816

SUP-160816_03-01-2025.png

CBVista · Mon Jan 20, 2025 3:13 am

Eagerly awaiting to see this feature implemented in 7.18

VRF-support for DNS is broken?

VRF-support for DNS is broken?

Re: VRF-support for DNS is broken?

Re: VRF-support for DNS is broken?

Re: VRF-support for DNS is broken?

Re: VRF-support for DNS is broken?

Re: VRF-support for DNS is broken?

Re: VRF-support for DNS is broken?

Re: VRF-support for DNS is broken?

Re: VRF-support for DNS is broken?

Re: VRF-support for DNS is broken?

Re: VRF-support for DNS is broken?

Re: VRF-support for DNS is broken?

Re: VRF-support for DNS is broken?

Re: VRF-support for DNS is broken?

Re: VRF-support for DNS is broken?

Re: VRF-support for DNS is broken?

Re: VRF-support for DNS is broken?

Re: VRF-support for DNS is broken?

Re: VRF-support for DNS is broken?