Complete newb to Routerboard/RouterOS here. Today I was able to deploy a RouterBoard 750G as an emergency replacement in a church network that went down, which led me to some questions.

1) In Winbox when I configure the DHCP Server, I have public DNS addresses listed (obviously). However, it pushes these to all the computers in the building. I'd rather it push out it's own internal IP as the DNS server and forward the DNS requests on behalf of the clients.

2) If possible, I would also like to set it to be authoritative so even if a client changes their DNS it still winds up hitting our DNS instead.

I'm assuming the second part could be done as a firewall rule (all outbound requests for port 53 that do not match our internal DNS redirect to the local IP of the DNS). However the first part I'm still unsure of. If I'm wrong on the 2nd or if there's a better way feel free to inform.

You have full control over what DNS server you hand out. Turn on the DNS server under IP > DNS, then edit the IP > DHCP-Server > Network settings and set the router IP address as the DNS server.

Yes, you can enforce usage of that DNS server via a NAT rule. Assuming a WAN interface name of "WAN" it would look something like this: Under some circumstances DNS can use TCP, might as well cover it. On a side note, that isn't called being authoritative in the context of DNS: being authoritative refers to being recognized as the official entity in control of a domain or IP block, you're just forcing use of your resolver.

You have full control over what DNS server you hand out. Turn on the DNS server under IP > DNS, then edit the IP > DHCP-Server > Network settings and set the router IP address as the DNS server.

Yes, you can enforce usage of that DNS server via a NAT rule. Assuming a WAN interface name of "WAN" it would look something like this:

Code: Select all

/ip firewall NAT
add chain=srcnat protocol=udp dst-port=53 out-interface=WAN action=redirect
add chain=srcnat protocol=tcp dst-port=53 out-interface=WAN action=redirect

Under some circumstances DNS can use TCP, might as well cover it. On a side note, that isn't called being authoritative in the context of DNS: being authoritative refers to being recognized as the official entity in control of a domain or IP block, you're just forcing use of your resolver.

Should those not be dstnat entries?

Yes! Yes, they very much should be.

Great thanks! I think I figured it out, it wasn't really the most straightforward process but it's what I want.

Mikrotik is more of a "do it yourself" when configuring. They do have a pretty good Wiki at http://wiki.mikrotik.com