Community discussions

MikroTik App
 
lamclennan
just joined
Topic Author
Posts: 18
Joined: Wed Aug 17, 2016 8:14 am
Location: Mungindi

L7 Rule For DNS

Mon Sep 12, 2016 8:24 am

Can someone help me with how I might do this.

I have access to a DNS64 server (and gateway but the setup is out of my control). However, it is far from local (opposite side of the world).

So ideally in my IPv6 only set-up I'd like normal AAAA DNS requests to land on the local DNS server so IPv6 enabled sites such as Facebook can be speedy. However, if the request for an AAAA record receives NOERROR and ANSWER 0. i.e. no AAAA records (i.e. twitter). I would then I would like to forward this request onto the DNS64 (ipv6 address) server which will return an answer pointing towards the NAT64 gateway.

Any suggestions on how I might do that? Otherwise it's a 360ms trip to the resolver. Won't be nice on skype and the likes.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: L7 Rule For DNS

Mon Sep 12, 2016 2:56 pm

I don't think you can do it, and not just with RouterOS.

First, it's definitely not anything you could do with L7 and simple firewall rules, because if you need to wait for answer, you'd then have to resend the original question/packet to different server, but you don't have it anymore. You'd need to use DNS resolver/proxy, which can have multiple DNS servers and ask another, if it doesn't get a reply from one. But there's another problem, because such resolvers operate with assumption that all configured DNS servers are equal in knowledge. So if one does reply, but doesn't have an answer, there's no point asking another. That's a problem for you.

What you want is technically possible for sure, but you'd probably need to write custom DNS resolver. At least I don't remember seeing this functionality anywhere.
 
lamclennan
just joined
Topic Author
Posts: 18
Joined: Wed Aug 17, 2016 8:14 am
Location: Mungindi

Re: L7 Rule For DNS

Tue Sep 13, 2016 3:48 am

You're right. It occurred to me while trying to sleep last night that I couldn't simply retry or forward the request again. Would it be possible to drop replies for the resolver where there are no AAAA entries so it will try the next resolver configured? I'm not familiar with what that might do other than make those domains take longer to resolve. For every request does it go resolver 1 if that fails goto resolver 2 or does it see 1 has failed once and then start using 2 trying 1 again after a random or specified time.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: L7 Rule For DNS

Tue Sep 13, 2016 4:51 am

I believe it would be possible to make regexp for reply packets without answer, drop them and by doing so, force question to another upstream resolver.

There is no exact order in which the resolvers are used, it can be thought about as being pretty much random. But the most likely optimization (if there is some) would be to use the fastest one. There would be a huge difference in speed between yours, and since the seemigly failing one would be the fast local resolver, there should be in theory very good reason to return to it as soon as possible.

I can't say anything for sure, it would be interesting to test it and see how exactly it would behave.
 
lamclennan
just joined
Topic Author
Posts: 18
Joined: Wed Aug 17, 2016 8:14 am
Location: Mungindi

Re: L7 Rule For DNS

Tue Sep 13, 2016 8:43 am

Waiting on my device to show up. Ordered online from a store that said in stock but it wasn't. Been waiting for weeks. Very annoying.

I think this regexp will catch it. It's a bit hard given the NULLs are stripped. Maybe someone can cast their eye over it.
add comment="DNS No AAAA Records" name=dnsaaaamanip regexp="^.\?.\?\81\80\01\01.\?.\?[\01-\?\][a-z0-9][\01-\?a-z]*\1C\01\C0\0C\06"
It should match DNS packets where it's a standard query response with no error with 1 question and 1 authority (having the SOA) from any address where an AAAA type was requested with a QCLASS of 1 and an SOA is returned.

I'm sure someones eyes are bleeding reading this work around... if it even works.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: L7 Rule For DNS

Tue Sep 13, 2016 5:56 pm

Nice. With few adjustments, it so far seems to work ok here. Clear version (to paste in WinBox):
^.?.?\x81\x80\x01\x01.?.?([\x01-\?][a-z0-9\-_]+)+\x1c\x01\xc0.\x06
Exported version (as if the previous didn't look ugly enough ;)):
/ip firewall layer7-protocol
add name="no AAAA answer" \
    regexp="^.\?.\?\\x81\\x80\\x01\\x01.\?.\?([\\x01-\\\?][a-z0-9\\-_]+)+\\x1c\\x01\\xc0.\\x06"
 
lamclennan
just joined
Topic Author
Posts: 18
Joined: Wed Aug 17, 2016 8:14 am
Location: Mungindi

Re: L7 Rule For DNS

Wed Sep 14, 2016 1:40 am

Thanks. I've just been testing and that regexp works well.

Unfortunately the DNS server just moves to the next one and never returns.

My current thinking on how to overcome this is add an address-list every time there is dns traffic from the secondary server and then trigger a script to set the dns servers again and clear the address-list.

Bit convoluted but oh well. Has to be better than 100% of geo type traffic landing on the otherside of the world.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: L7 Rule For DNS

Wed Sep 14, 2016 4:21 am

I would have a very nice (by crazy ideas standards) script-less solution, but unfortunately it only works with IPv4, because it needs NAT. :(

So just for fun (or perhaps it might inspire some other ideas I didn't think of):

1) Resolver would have to be machine in LAN, with this config:
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
Where 8.8.8.8 is primary resolver and backup is not set here at all.

2) The real work is done by gateway:
/ip firewall mangle
add action=mark-connection chain=prerouting layer7-protocol="no AAAA answer" new-connection-mark=\
    zero-answers protocol=udp src-address=8.8.8.8 src-port=53
add action=add-src-to-address-list address-list=dns address-list-timeout=3s chain=prerouting \
    connection-mark=zero-answers
/ip firewall filter
add action=drop chain=forward connection-mark=zero-answers
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-list=dns to-addresses=8.8.4.4
If it sees reply packet from primary resolver and it contains zero answers, it adds a short lived address list entry with primary resolver's address and drops the packet. Internal resolver does not receive any reply, so it tries to ask again after a second. But this time router catches the request and redirects it to backup resolver (8.8.4.4) instead.

It's tested and working fine, but again, no NAT for IPv6 means no joy there.
 
lamclennan
just joined
Topic Author
Posts: 18
Joined: Wed Aug 17, 2016 8:14 am
Location: Mungindi

Re: L7 Rule For DNS

Wed Sep 14, 2016 9:14 am

Taking on your approach.
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall layer7-protocol
add name="no AAAA answer" regexp="^.\?.\?\\x81\\x80\\x01\\x01.\?.\?([\\x01-\\\?][a-z0-9\\-_]+)+\\x1c\\x01\\xc0.\\x06"
/ip firewall filter
add action=add-dst-to-address-list address-list="AAAA Pre Received" address-list-timeout=1s chain=input dst-address=192.168.153.129 in-interface=ether1 layer7-protocol="no AAAA answer" protocol=udp src-address=8.8.8.8 src-port=53
add action=drop chain=input dst-address=192.168.153.129 in-interface=ether1 layer7-protocol="no AAAA answer" protocol=udp src-address=8.8.8.8 src-port=53
add action=add-dst-to-address-list address-list="Waiting For Timeout" address-list-timeout=1s chain=input dst-address=192.168.153.129 dst-address-list="AAAA Pre Received" in-interface=ether1 protocol=udp src-address=!8.8.8.8 \
    src-address-list="AAAA Dropped Once" src-port=53
add action=add-src-to-address-list address-list="AAAA Dropped Once" address-list-timeout=1s chain=input dst-address=192.168.153.129 dst-address-list="!Waiting For Timeout" in-interface=ether1 protocol=udp src-address=!8.8.8.8 \
    src-address-list="AAAA Received" src-port=53
add action=drop chain=input dst-address=192.168.153.129 dst-address-list="!Waiting For Timeout" in-interface=ether1 protocol=udp src-address=!8.8.8.8 src-address-list="AAAA Received" src-port=53
add action=add-src-to-address-list address-list="AAAA Received" address-list-timeout=1s chain=input dst-address=192.168.153.129 dst-address-list="AAAA Pre Received" in-interface=ether1 protocol=udp src-address=!8.8.8.8 \
    src-address-list="!AAAA Received" src-port=53
add action=drop chain=input dst-address=192.168.153.129 dst-address-list="!Waiting For Timeout" in-interface=ether1 protocol=udp src-address=!8.8.8.8 src-address-list="!AAAA Received" src-port=53
The secondary server use is allowed while it knows there was a failed AAAA lookup. It allows one request then blocks the next and allows any after until the list expires that allows it in the first place.

I've used one second but the lists stay alive for more like 5 anyway.

Edit: here I was thinking programming PLCs in ladder logic would teach me nothing haha. I definitely pay a more attention on howto use execution order to my advantage now.
 
lamclennan
just joined
Topic Author
Posts: 18
Joined: Wed Aug 17, 2016 8:14 am
Location: Mungindi

Re: L7 Rule For DNS

Thu Sep 22, 2016 2:55 pm

There is no L7 matcher for IPv6.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: L7 Rule For DNS

Thu Sep 22, 2016 3:51 pm

You're right, I didn't even notice that. Unfortunately, quite a few IPv6 features are missing in current RouterOS. I have high hopes for future RouterOS 7 (as does everyone else), but nobody knows when it will be out and what exactly it will be able to do.
 
lamclennan
just joined
Topic Author
Posts: 18
Joined: Wed Aug 17, 2016 8:14 am
Location: Mungindi

Re: L7 Rule For DNS

Fri Sep 23, 2016 9:00 am

It's all good. I've just reverted to native IPv6 only.

IPv6 there is a fair amount missing around IPv6. However, some stuff only I would want. Other environments would have other dedicated hardware for such things.