Good day,

Well I've got two subnets

192.168.10.0/24 - the main
192.168.20.0/24 - a hotspot

192.168.10.252 - is BIND DNS server which resolves dns requests in the main subnet and it doesn't for users in hotspot.
I thought I need to forward #53 port - it didn't help. What the heck?

# update: I opened Hotspot and created a new rule for hotspot users so that they could reach out to my DNS server in the main subnet
It didn't help either!..... all dns requests are going through the router.

To what IP are the hotspot clients sending DNS queries? Where did they learn of the DNS server they are sending queries to? DHCP perhaps?

To what IP are the hotspot clients sending DNS queries? Where did they learn of the DNS server they are sending queries to? DHCP perhaps?

I've got no idea. It seems they take ISP's DNS. I see lots of dns queries in DNS cache table despite the fact each device coming from a hotspot gets 192.168.10.252 - inner dns server.
I do ping the DNS server though it doesn't resolves domain's names :(

The clients aren't just "taking" the ISP DNS. They are being configured with it one way or another. The two most common methods are static configuration or DHCP.

On one of your hotspot clients, try this: "nslookup google.com 192.168.10.252" . That should resolve. If it doesn't, I'd start with analyzing some packet captures at the client, router interface, and DNS server to determine where the packets are going.

Well there is a question is it predefined by developers (standards?) that hotspot users won't be able to reach a DNS server inside the other subnet or there is a chance to change a DNS server once a user authenticated. The packets definitely go through a router first.

Well there is a question is it predefined by developers (standards?) that hotspot users won't be able to reach a DNS server inside the other subnet or there is a chance to change a DNS server once a user authenticated. The packets definitely go through a router first.

If you mean predefined as in hard-coded where you can't adjust it or see it, the answer is no. There are no standards when it comes to hotspot/guest type networks--just common implementations.

I think analyzing some packet captures will probably get you to a resolution pretty quickly.

I think analyzing some packet captures will probably get you to a resolution pretty quickly.

I know that captive portals depend on DNS and that could be the reason that all traffic goes through router. It controls that user would be authorized to go to the Internet, it doesn't resolved any domain name unless you're authenticated. If we open our DNS server to hotspot users there won't be anything that stops them from using Internet free of charge. They don't need to be authenticated. We break the idea of a captive portal or am I incorret?
As for me.... Hm, let's say I'm an advanced user, but administrating networks isn't my area of expertise. I understands some basics, but analyzing traffic.... I'm out of my depth.

What should I do? Is there any magical tools for hacking networks? Please share your baggage of knowledge with me. I appreciate your help.

I know that captive portals depend on DNS and that could be the reason that all traffic goes through router. It controls that user would be authorized to go to the Internet, it doesn't resolved any domain name unless you're authenticated. If we open our DNS server to hotspot users there won't be anything that stops them from using Internet free of charge. They don't need to be authenticated. We break the idea of a captive portal or am I incorret?
As for me.... Hm, let's say I'm an advanced user, but administrating networks isn't my area of expertise. I understands some basics, but analyzing traffic.... I'm out of my depth.

What should I do? Is there any magical tools for hacking networks? Please share your baggage of knowledge with me. I appreciate your help.

Ah. I see. You're trying to configure something fairly complex without understanding how it works for many many hours of frustration fun. The classic "glutton for punishment." :-)

I originally thought you wanted your hotspot clients to be able to query your internal DNS server. Now I believe you want it to be conditional (I think).

Unfortunately, I haven't worked on hotspots, captive portals, or walled gardens in quite a few years, so I'm pretty rusty and won't be much help. On the other hand, I analyze packet captures all the time, so that's easy. Depending on the hotspot client OS you have, you can use tcpdump in *nix, or Wireshark in Windows. On the router, you can navigate to Tools > Packet Sniffer (I'm assuming GUI), then set the interface you would like to capture on and any filters. I always set a filename on the general tab there so captured packets are written to a file. Then you can copy the file to your tech PC and view it in Wireshark.

Once you have packet captures, you're looking for where the client is sending the DNS queries, where the router is sending them, and then what, if anything, is replying to the DNS queries.

Good luck. Soon you'll be much more than an "advanced user."

The Mikrotik hotspot redirects any DNS requests from hotspot clients to the Mikrotik itself. This happens quite early in the firewall chains so the walled garden or walled garden IP functions may occur too late. Is there any reason you can't set the Mikrotik itself to use your DNS server?

I originally thought you wanted your hotspot clients to be able to query your internal DNS server.

Exactly what I want

The Mikrotik hotspot redirects any DNS requests from hotspot clients to the Mikrotik itself. This happens quite early in the firewall chains so the walled garden or walled garden IP functions may occur too late. Is there any reason you can't set the Mikrotik itself to use your DNS server?

I just don't know how it resolves domain names - but it does... though I've tried inner domains it says unknown.
Could you be more specific? How to force DHCP client to use my inner DNS server? Thanks.

That looks OK, the WAN DHCP client does not use any DNS servers offered and 192.168.10.252 is specified as an upstream DNS server, although without seeing the configuration it is difficult to say if there is anything else which could interfere.

The DHCP setup for the 192.168.20.0/24 network should offer 192.168.20.1 as both the gateway and DNS server addresses, although client DNS requests will be redirected whatever server address they are using. Your BIND server will see requests from the hotspot clients originating from 192.168.10.1, not 192.168.20.x - do you see requests arriving?

Thanks to tdw. I did as you said. In the previous screenshot I went to the DHCP client and got rid of the use peer DNS feature. Then I switched off the inner DNS server last night knowing exactly that nobody gets the Internet.

If you need a configuration file, I've shared in a code editor online:
https://www.codepile.net/pile/VWwvpZ3Z

Here is the interesting thing. When I connect to a hotspot, the router requests my inner DNS server to resolve domain names it then gets response back, caching it and responses to a client request. Meaning that it's in charge of those requests anyway. However it doesn't make requests for my local domain names for no reason. If you look at the snapshot I took yesterday there is hazartilirot-pc that got unknown type and a blank IP address like 0.0.0.0. It's all the same with a provider DNS or my internal one.

Might it be a kind of a MikroTik bug? Should I report the issue?

The DNS lookups via the Mikrotik and your bind server appear to be working as expected. The N hazartilirot-pc unknown 0.0.0.0 cached record shows that the upstream DNS server (your BIND server) replied with NXDOMAIN so the type and data fields have no value, hence the suggestion to check the BIND server activity/logs.

You may as well remove/change the redundant Mikrotik configuration items:
/ip dhcp-server network
add address=192.168.10.0/24 dhcp-option=mydomain.local dns-server=192.168.10.252 domain=mydomain.local gateway=192.168.10.1
add address=192.168.20.0/24 comment="hotspot network" dhcp-option=mydomain.local dns-server=192.168.20.1 domain=mydomain.local gateway=192.168.20.1
...
/ip firewall nat
...
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=192.168.20.0/24 to-addresses=192.168.10.252 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.20.0/24 to-addresses=192.168.10.252 to-ports=53
...
/ip hotspot walled-garden ip
add action=accept comment="Allowing hotspot users to communicate with DNS Server in the other subnet" disabled=no dst-address=192.168.10.252 !dst-address-list dst-port=53 protocol=tcp server=hotspot1 src-address=192.168.20.0/24 !src-address-list
add action=accept comment="Allowing hotspot users to communicate with DNS Server in the other subnet" disabled=no dst-address=192.168.10.252 !dst-address-list dst-port=53 protocol=udp server=hotspot1 src-address=192.168.20.0/24 !src-address-list

I'm not sure why you have domain= plus an option sending code 15 in your /ip dhcp-server network settings - I haven't checked, but I would expect these to be the same. The DHCP option code 119 entry appears to be incorrectly encoded but also not used. Note that from your screenshot the client is asking for hazartilirot-pc not hazartilirot-pc.some.domain

Also, there is a masquerade rules for the hotspot clients - I can't see this is necessary unless you particularly want any traffic from the hotspot clients to the 192.168.10.0/24 network appear to originate from the Mikrotik rather than the individual hotspot clients.

The DNS lookups via the Mikrotik and your bind server appear to be working as expected. The N hazartilirot-pc unknown 0.0.0.0 cached record shows that the upstream DNS server (your BIND server) replied with NXDOMAIN so the type and data fields have no value, hence the suggestion to check the BIND server activity/logs.

You may as well remove/change the redundant Mikrotik configuration items:
/ip dhcp-server network
add address=192.168.10.0/24 dhcp-option=mydomain.local dns-server=192.168.10.252 domain=mydomain.local gateway=192.168.10.1
add address=192.168.20.0/24 comment="hotspot network" dhcp-option=mydomain.local dns-server=192.168.20.1 domain=mydomain.local gateway=192.168.20.1
...
/ip firewall nat
...
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=192.168.20.0/24 to-addresses=192.168.10.252 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.20.0/24 to-addresses=192.168.10.252 to-ports=53
...
/ip hotspot walled-garden ip
add action=accept comment="Allowing hotspot users to communicate with DNS Server in the other subnet" disabled=no dst-address=192.168.10.252 !dst-address-list dst-port=53 protocol=tcp server=hotspot1 src-address=192.168.20.0/24 !src-address-list
add action=accept comment="Allowing hotspot users to communicate with DNS Server in the other subnet" disabled=no dst-address=192.168.10.252 !dst-address-list dst-port=53 protocol=udp server=hotspot1 src-address=192.168.20.0/24 !src-address-list

I'm not sure why you have domain= plus an option sending code 15 in your /ip dhcp-server network settings - I haven't checked, but I would expect these to be the same. The DHCP option code 119 entry appears to be incorrectly encoded but also not used.

Now I understand each thing you wrote.
I thought code 15 and code 119 are more or less the same with a slight difference. I could've mistaken something while reading an article on the Internet. It's like when I type hazartilirot-pc it's expected to add mydomain to it. As a result it would be hazartilirot-pc.mydomain

Note that from your screenshot the client is asking for hazartilirot-pc not hazartilirot-pc.some.domain

You're correct! :D I wonder what it's the reason? The DNS server resolves names in one subnet 10.0/24, but not for the other 20.0/24. It doesn't join .mydomain to the host_name. :D

Well, I've switched mydomain.local to mydomain.com - it solved the problem I had with an unrelated app. However, the DNS server now cannot resolve a host's name in its subnet 10.0/24. It seems to me that the DNS server couldn't have resolved a domain name in another subnet since a phone I made a nslookup's request from didn't belong to the domain. All PCs still belong to mydomain.local. I guess that is why I have to add the suffix. I hope I'm correct. )