Point to Internal DNS server

scotters · Fri Jun 05, 2015 1:23 am

Attached is the very basic but sanitized config. What I'm looking to do is point DNS back to an internal server on the LAN side...tried adding as a static DNS server, but it didn't seem to like that (clients after a few minutes not connecting to sites, etc).

config6415.txt

Sob · Fri Jun 05, 2015 4:09 pm

I see LAN 192.168.1.0/24, router having 192.168.1.1 and DHCP server giving out 192.168.88.1 as DNS resolver, which is not on the router. Whatever you put in DNS on this router, no client will use, so I'm not sure how changing static DNS could influence anything.

What exactly are you trying to do?

scotters · Fri Jun 05, 2015 5:47 pm

Ah, so there's a remnant of the default setup (the 192.168.88.1) in there. How do I change that out and have it point back to an internal LAN address of 192.168.1.5, for example?

scotters · Fri Jun 05, 2015 6:11 pm

Ok, found the setting and temporarily changed to external DNS. Are there any issues with RouterOS to making it an internal DNS server?

IntrusDave · Sat Jun 06, 2015 9:55 am

No issues.
I use this type of setup too. My CCR is my gateway (192.168.1.1), DNS, and DHCP server. The DNS uses an internal IP (192.168.1.5). That server (a FreeBSD box) uses dnsmasq as well as dnscrypt-proxy to serve DNS requests. I also have the CCR doing NAT to redirect any stray DNS requests back to the .5 box.

scotters · Sat Jun 06, 2015 5:37 pm

How did you set that last part up?

I also have the CCR doing NAT to redirect any stray DNS requests back to the .5 box.

error216216 · Sun Jun 07, 2015 2:38 am

How did you set that last part up?
I also have the CCR doing NAT to redirect any stray DNS requests back to the .5 box.

This is how I redirect all DNS requests to the mikrotik router so the client uses the mikrotik DNS insted of some manually entered DNS on the client's device:

/ip firewall nat
add action=dst-nat chain=dstnat comment="Redirect DNS trafic to local DNS UDP" disabled=no dst-address-list=!LAN \
    dst-port=53 log-prefix=DNS-redirect protocol=udp src-address-list=LAN to-addresses=192.168.77.1 to-ports=53
add action=dst-nat chain=dstnat comment="Redirect DNS trafic to local DNS TCP" disabled=no dst-address-list=!LAN \
    dst-port=53 log-prefix=DNS-redirect protocol=tcp src-address-list=LAN to-addresses=192.168.77.1 to-ports=53

You can change the to-addresses to 192.168.1.5 and remove dst-address-list=!LAN and src-address-list=LAN if you don't have an access list with the LAN ip's and maybe add out-interface=ether1-gateway so it will apply only to traffic that wants to go trough ether1 port, I usually create an access list named LAN that contains the LAN subnets so I can manage the filter rules easier.

This will redirect all traffic that wants to use port 53 to desired ip address.

The code modified to your needs:

/ip firewall nat
add action=dst-nat chain=dstnat comment="Redirect DNS trafic to local DNS UDP" disabled=no dst-port=53 log-prefix=DNS-redirect protocol=udp to-addresses=192.168.1.5 to-ports=53 out-interface=ether1
add action=dst-nat chain=dstnat comment="Redirect DNS trafic to local DNS TCP" disabled=no dst-port=53 log-prefix=DNS-redirect protocol=tcp to-addresses=192.168.1.5 to-ports=53 out-interface=ether1

You should also change the IP you hand out to clients via DHCP to 192.168.1.5:

/ip dhcp-server network set 0 dns-server=192.168.1.5

IntrusDave · Sun Jun 07, 2015 8:54 am

I do basically the same the as above, with a slight variation.

add action=dst-nat chain=dstnat dst-address=!192.168.1.5 dst-port=53 in-interface=ether1 log=yes log-prefix="DNS Redirect" protocol=udp src-address=!192.168.1.5 to-addresses=192.168.1.5 to-ports=53
add action=dst-nat chain=dstnat dst-address=!192.168.1.5 dst-port=53 in-interface=ether1 log=yes log-prefix="DNS Redirect" protocol=tcp src-address=!192.168.1.5 to-addresses=192.168.1.5 to-ports=53

Explanation; Any DNS activity on ether1 (the lan) that is *NOT* going to .5, gets directed to .5.
DNS activity coming from .5 gets left alone. If you don't make that exclusion, you are going to get stuck in a loop.

coylh · Fri Aug 07, 2015 7:05 am

What is the scenario where a loop happens?

I'm using something similar, but without protection from the router's own lookups (by ip):

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-port=53 in-interface=ether1-lan protocol=udp to-addresses=192.168.0.1 to-ports=53
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-port=53 in-interface=ether1-lan protocol=tcp to-addresses=192.168.0.1 to-ports=53

IntrusDave · Fri Aug 07, 2015 7:09 am

In my example, with .5 being my internal DNS server, if I didn't not exclude that IP, it would be redirected to itself causing all DNS to fail.

Point to Internal DNS server

Point to Internal DNS server

Re: Point to Internal DNS server

Re: Point to Internal DNS server

Re: Point to Internal DNS server

Re: Point to Internal DNS server

Re: Point to Internal DNS server

Re: Point to Internal DNS server

Re: Point to Internal DNS server

Re: Point to Internal DNS server

Re: Point to Internal DNS server