I'm completely bemused why there's no support (after many requests) for this:

You enter a domain name in the DNS configuration, and then enter the ip address(es) of DNS servers to forward the requests for that domain to.

The Mikrotik can cache it.

What's the problem? Surely this could be coded in an afternoon?

A.K.A conditional forwarders.

Yes I know about the workarounds (dst-NAT), but they are messy and buggy, and bypass cache.

Mikrotik: can I build my own package and install that on RouterOS? I need conditional DNS forwarders.

You probably know this thread. With its 10th anniversary drawing near, it would be nice present from MikroTik, if they finally implemented it. Otherwise I'll probably start losing hope.

And no, you can't make your own packages. There are some tools to unpack .npk files, but not to create them.

You probably know this thread. With its 10th anniversary drawing near, it would be nice present from MikroTik, if they finally implemented it. Otherwise I'll probably start losing hope.

And no, you can't make your own packages. There are some tools to unpack .npk files, but not to create them.

They don't seem to act on user requests

I'm going to have to put in an OpenWRT box at a remote site just so they can have a conditional DNS forwarder. Absolutely ridiculous given the overall power and flexibility of RouterOS, to not have such a simple and easy to implement feature.

They do act on user's requests, sometimes even pretty quickly. But they also seem to completely ignore some. Sometimes there's the old "but it's too advanced for router", which may be true in some cases, but it's less and less true over the time, given all the features RouterOS already has. But request like this is really just a basic functionality and waiting ten years to get it is ridiculous.

It's like the OpenVPN story. People are crying for udp support for 10+ years. Finally in 2016, it looked like the happy end might be near, when it was said by MikroTik employee that it will be in RouterOS v7. Too bad "RouterOS v7" already became synonym for "never" back then, let alone now.

I'm still huge fan of RouterOS, and I don't think I'll stop anytime soon. But some aspects really annoy me. Hire more people, allow custom packages, open source at least parts of RouterOS and accept patches, ... anything to get things moving faster.

It looks like this will do what I need (with a simple dnsmasq cli option). I think it'll do openvpn UDP if you want too. It looks like an rb750gr3 with a different operating system. That hardware has AES acceleration. Not sure if this non-mikrotik o/s supports it yet though.

https://www.eurodk.com/en/products/ubnt ... gerouter-x

I am too considering buying one of those to get some experience and compare them 1:1
There will probably be (lots of?) things that RouterOS can do which those boxes do not support, and there are a lot less different models available especially in the low-price segment, but we certainly have to look around when we want progress...
The first step is of course to really understand what the properties of the different models are. "X" and "lite" differ in price and looks, but it is yet unclear to me how they differ in features and performance. And then there is the "poe" model too.

It does do hw crypto offload for ~400mbps IPsec, and DNS conditional forwarders. That's all I need. They do udo openvpn but it's slow (25mbps) and I've never actually used openvpn anyway so that's not of interest to me.

I just need IPsec and conditional DNS forwarder for the remote active-directory linked sites.. so they can use router for DNS, have active directory forwarded and cached to the a/d DNS server, and not lose internet access when the VPN becomes unavailable.

On the datasheet it says "1 VPN" so I wonder if there are nasty licensing schemes... a bit like some of the MikroTik APs that allow only 1 connection (usable for PtP use) and require an extra license to be used as an AP for multiple users...

I have an ER-X. The GUI is definitely more "whiz bangy" and you use the web gui (or cli of course), not something like Winbox.

MikroTik seems to do a lot more for your money software wise, but hey, if it doesn't support something that this one does, get it. It's a nice little machine. It's a lot of hardware for the money for sure.

I have an ER-X. The GUI is definitely more "whiz bangy" and you use the web gui (or cli of course), not something like Winbox.

MikroTik seems to do a lot more for your money software wise, but hey, if it doesn't support something that this one does, get it. It's a nice little machine. It's a lot of hardware for the money for sure.

It was either the above, or put in a raspberry pi as a separate DNS server. Shouldn't have to do either really but nevermind..

Received the EdgeRouter ER-X today. It's a tidy little box

the O/S looks nice. Quite a lot less power than Mikrotik / Winbox.

However, there's the added flexibility of a full Linux bash shell!

I have resisted 'the other side' even though everywhere I see a point-to-point wan (wireless ISP in the UK), they always use Ubiquity. I've been using Mikrotik for over 10 years.

but Mikrotik not bothering to implement a piece-of-cake little feature like the above, has opened me up to the alternative. This is the first Ubiquity box I've touched and probably won't be the last now that I have had an accidental introduction to them.

Just a shame their WiFi manager thing runs on Java and needs a whole computer to itself.

No? Still No, Mikrotik??

FFS it would be able 3 lines of code for your developers

Same issue. Found this post. Request is now open for at least 10 years. I guess we can wait another 10.
It truly amazes me, with all the crazy shit my CCR can do, this basic option is still unavailable.

I would love this, please add this MT!

+1 vote

+2 vote

+10000000

Sent from my SM-A705FN using Tapatalk

dnsmasq will do exactly what you need, and a gr3 (+other hw) with openwrt can run dnsmasq

OH.MY.GOD.

Yes, finally!
There are some mistakes, but at least it performs the basic functions that have been asked for since 10 years...

There may be an issue though. After upgrading to 6.47 my Windows Server 2016 DNS server recursive queries fail.
user@i9:~$ dnsperf -e -s 10.0.1.8 -d /mnt/c/Users/user/Downloads/dnsperf_test_queries.tsv
Statistics:
Queries sent: 414
Queries completed: 17 (4.11%)
Queries lost: 297 (71.74%)
Queries interrupted: 100 (24.15%)

Response codes: NOERROR 7 (41.18%), SERVFAIL 7 (41.18%), NXDOMAIN 3 (17.65%)
Average packet size: request 49, response 70
Run time (s): 17.915779
Queries per second: 0.948884

Average Latency (s): 1.126841 (min 0.000739, max 4.620818)
Latency StdDev (s): 1.752664

After downgrading back to 6.45.9 much less problems.
Statistics:
Queries sent: 6958
Queries completed: 6822 (98.05%)
Queries lost: 36 (0.52%)
Queries interrupted: 100 (1.44%)

Response codes: NOERROR 4983 (73.04%), SERVFAIL 105 (1.54%), NXDOMAIN 1734 (25.42%)
Average packet size: request 49, response 104
Run time (s): 13.945621
Queries per second: 489.185817

Average Latency (s): 0.163934 (min 0.000552, max 4.763096)
Latency StdDev (s): 0.414830

Internal queries work 100% and if MSDNS is bypassed queries work also, so it's an issue between MSDNS and Mikrotik. Tried disabling the static DNS, no help.
Flags: D - dynamic, X - disabled
# NAME REGEXP ADDRESS TTL
0 X mikrotikrouter.home.local 10.0.0.1 4w2d
Also tried changing EDNS0 UDP packet size to 1452 which is the size 1.1.1.1 supports, no help.
Didn't find the cause but waiting to upgrade routerOS again until I see a fix in the notes.

Just noticed it myself in changelog
Good news indeed

Although regex has been mentioned before by staff to be heavy

Just noticed it myself in changelog
Good news indeed

Although regex has been mentioned before by staff to be heavy

@xsebastia, welcome back. It's been a while

Can DNS forwarding be done to a different port other than "53/udp"?

No. You can put in forward-to=<address>:<port>, but it doesn't work. It's also little inconsistent. If you do it in WinBox, then port is ignored and queries are sent to <address>:53. Port also doesn't show in export. If you do it using CLI, then whole string is treated as hostname, which of course can't be resolved.

Can anyone please paste, a configuration where FWD entry does work, and forward queries to external DNS ?
The one in wiki does not work :(

The one in wiki is ok, it will forward queries for <anything>.example.com to 10.0.0.1, assuming that you don't have another matching regexp before this, and if you don't use DoH (because for some strange unexplained reason RouterOS ignores FWD when DoH is used).

The one in wiki is ok, it will forward queries for <anything>.example.com to 10.0.0.1, assuming that you don't have another matching regexp before this, and if you don't use DoH (because for some strange unexplained reason RouterOS ignores FWD when DoH is used).

are You talking exactly about this ?
[admin@MikroTik] ip dns static> add regexp=".*\\.example\\.com\$" forward-to=10.0.0.1

Yes, that's the one.

and if you don't use DoH (because for some strange unexplained reason RouterOS ignores FWD when DoH is used).

Yep, confirming that DNS forwarding doesn't work with DoH enabled.

it doesn't bloody work at all!



That is exactly like the wiki example!

Although, it could be the IPSec tunnel. The router itself has no routing table to it, and there's no src-address= for the DNS FWD record. hmm.

Your tld is .local, not .local$. Don't escape the last $ in the regex. In fact you should unescape the CLI syntax, e.g. \\. => \. when pasting directly in Winbox.

Omitting the slashes will make it match with other characters as well. E.g. philipcarrollBlocalWhateveryoulike would match.

Better use these two for philipcarroll.local and *.(*.(*.(...))).philipcarroll.local:

^philipcarroll\.local$
\.philipcarroll\.local$

I got it to work :)

I have no idea what the regexp stuff is about in the Wiki, but that would not work for me.

a simple *.domain.local was enough
then another one for the domain itself.

I needed to fix the routers outbound traffic over the IPSec link (pref-source on a routing table entry).

There's no debug log for DNS!

Your tld is .local, not .local$. Don't escape the last $ in the regex. In fact you should unescape the CLI syntax, e.g. \\. => \. when pasting directly in Winbox.

Why does the Wiki say:

It is also possible to forward specific DNS requests to a different server using FWD type. This will fordward all subdomains of "example.com" to server 10.0.0.1:

[admin@MikroTik] ip dns static> add regexp=".*\\.example\\.com\$" forward-to=10.0.0.1

?

The wiki example is escaped for pasting in terminal, you pasted the terminal example in the winbox dns static entry window (not the terminal).

Your tld is .local, not .local$. Don't escape the last $ in the regex. In fact you should unescape the CLI syntax, e.g. \\. => \. when pasting directly in Winbox.

Omitting the slashes will make it match with other characters as well. E.g. philipcarrollBlocalWhateveryoulike would match.

Better use these two for philipcarroll.local and *.(*.(*.(...))).philipcarroll.local:

^philipcarroll\.local$
\.philipcarroll\.local$

I get you. Thanks. Yes it was the double-slashes that was doing it. Thanks for your help.

Better use these two for philipcarroll.local and *.(*.(*.(...))).philipcarroll.local:

^philipcarroll\.local$
\.philipcarroll\.local$

That's a good point. With Active Directory there are many hierarchies in the DNS.. I missed that with my *.phillipcarroll.local

I bought a book specifically about regular expressions. I found it rather too difficult to absorb by about page 5!

of course, the slash is escaping the dot so that it doesn't mean what a dot usually means in a regular expression (any char, any number of preceeding chars, whatever it is).
Makes sense now.

*.phillipcarroll.local is not a valid regex entry because the first * quantifier is not preceded by a character (sequence).

But since partial matching takes place, I choose to omit the subdomain (.*) in general.

So.. \.domain\.local$ is simpler than ^.*\.domain\.local$