Hi All,

Having on of those days today.
So our main DNS server stopped working, and while we have a backup I figured ill setup DNS to work form one of our spare CCR's that's doing nothing.

I have tried this in the past and then noticed the same issue but I didn't bother giving it too much time.

So I have a dedicated CCR that I have setup only to do DNS. (with around 4000 customers using it as a secondary DNS server)
I also have a firewall rule to block remote requests:
here is my problem, it worked totally fine for 2-3 hours and now it doesn't work at all. / very slow.
when I set a remote computer, or mine at work to use it I get "DNS request times out"
sometimes, 1 in 20 attempts It works.

-if I flush the cache it makes no difference.
-I have upgraded and then downgraded firmware (rebooted) and still no joy.
-I have modified the UDP max packet size and the cache Size.
-Running 6.27
-I have tried disabling the firewall rules as above
-if I do a lookup directly on the MikroTik it works fine and is instant.
- I have tried using different DNS servers (static) set on the router.

any thoughts on what I can do...

do you know that the drop rules you sent are disabled? If it is not a mistake (CFG taken when you were testing something) the packets are not dropped but they will reach the DNS Resolver. So you have an open DNS resolver which will be detected by remote probes and abused (sooner or later)

yes I know they where disabled, forgot to remove that from the export.
At the time I exported them I had them off for Debug.

...regardless that's not the cause of the problem.

Could one of the CCR's configured remote DNS servers be failing and it just so happens that this is the one the router will try using first? I had the same thing when 4.2.2.2 stopped answering DNS queries to me the other day....
(yes, 4.2.2.2!)

Could one of the CCR's configured remote DNS servers be failing and it just so happens that this is the one the router will try using first? I had the same thing when 4.2.2.2 stopped answering DNS queries to me the other day....
(yes, 4.2.2.2!)

Tried that, I was actively testing 8.8.8.8 on one computer and my routers ip on another, (removed all other DNS servers)
I even tried setting the remote DNS servers to our primary DNS that was defiantly working. no help at all.
notably even things in the cashe 'google.com.au' and static entries would not resolve.

it feels like the router couldn't cope with the requests, and was simply not responding. but the CPU load was only 1% at most.

Hi,

I am not using ROS as a DNS server so I have no direct experience with it. But IMHO it is much better to run DNS caching resolvers on another operating system. I thing bind or unbound on linux is good option. And you could use full caching recursive DNS (not just only DNS forwarder as in ROS) with possibility to limit access to set of IP ranges or interfaces (not using packet filter to stop unwanted packets). The performance will be better and you will have much wider config and debug options. Including utilities like dig/nslookup you can use to see if DNS resolution is working fine.

On the ROS you could try
- enable debug logging (/system logging ). ROS cold log something useful
- dig/nslookup to check what is wrong. You could see if the DNS respond at all or sends some error message (stop firewall first)
- packet trace - by sniffing the DNS traffic and analyzing it you can see if there is not to much traffic, if google DNS servers responds, if there are attempts to abuse your (possible) open DNS resolver, etc. It is better to analyze sniffed packets on Wireshark (or another packet sniffer) on windows/linux)

I can confirm too, there is a problem with 6.27 DNS server. It is very flaky and times out often. In my setup, I have the firewall rules in place to prevent the server from being an open dns server.

I sent an email containing the suport file to support at mikrotik.com but heard nothing back not even a ticket number.