MikroTik

imho it would be helpful to have the opportunity of entering dns-names instead of ip-addresses in destination-fields, e.g. configuring tunnel-, ppp-type-clients. of course only if dns-cresolver is configured.

most operating systems allow this too for there vpn-clients and it becomes essential for use with dyn-dns based destinations, were the ip-address changes regularly.

(probably this could be done by some scripting, but i would prefer the simple method)

regards
matthias

This is unsecure, coz dns names can be spoofed.
Second con is that in case of dns failure, the system will not be configured properly during restart.
Just my 2 cents :)

This is unsecure...

yes, right, but i didn't say to change everything from ip-addresses to dns-names, only to have the option to use dns-names too.

(by now, mikrotik ros is mostly unusable for dyn-dns based connections, and due to t-dsl we have lots of them in germany...)

This feature request has been posted several times. The main problem always is the discussion, when name resolution should occur: When entering a DNS name into a configuration (one-time resolution, then storing the ip address) - which is more for convenience issues while configuring. Or during "runtime", i.e. every time a rule or whatever containing a DNS name is used. This would be necessary for your request ("dyn-dns vpn"), but would potentially put a huge DNS resolution burden on the RouterOS system. Or something in between like the second option above but caching DNS resolution results for some time.
At that point discussions always stopped, if I remember correctly...

yes, this is a usual question for dns. but there is a solution already: TTLs

any resolver has to respect them.

e.g. dyn-dns.org sets a ttl of 60s, cisco NAT sets a TTL of 0s (which is RFC compliant too).

regards.
matthias

Of course that's right. But we have seen problems arising from servers with wrong configuration and giving those supposed-to-be-dynamic records normal (high) TTL.
Just wanted to point out to the possible problems associated with using DNS names here...

We've provided a mikrotik script in one of the forums here that will update your ddns records when an interface receives a different IP address. This is working well and we have a few clients using it at this time. Mikrotik supports the RFC ddns updates - but none of the current ddns providers support this update method. We've written the script to allow you to find your routers using a ddns name instead of trying to find the dhcp'ed address you receive on dsl / cable. It watches the interface IP address and sends an email to our ddns proxy account to perform the update, just as any other http client would.

Sam
ChangeIP.com

We've provided a mikrotik script in one of the forums
...

yes, i have seen this script, but i dont think it helps for the task i had in mind.
to explain: in germany there is a growing number of highspeed connections (3mbit) over telekom dsl, it is quite cheap so a lot of business customers do use it. together with VPN-techiques it is easy to build up a company network, but no static ip-addresses on the WAN are provided, i.e. the router must be able to build up VPN-tunnels with (dynamic) DNS names on both tunnel endpoints.

i am using draytek routers for that task (they are cheap and good) for years but they lack the cpu power, firewall- and QoS-features mikrotik ROS has. (their wireless features are poor, too). but their ability to build up various VPN-types with dynamic adressing is a feature i liked to see on the mikrotik ROS.

would it be possible to write a skript, building up a vpn-connection based on a just-in-time from DNS-resolved ip-addresses?

on the other hand, the resolver is build in yet, hence it should not be to complicated to make DNS names usable.

regards.
matthias

I can see a use for it my side as well...

Shouldn't be too difficult to add the ability to use name addresses with a disclaimer saying it's all at your own risk.

Or perhaps support a couple of the more popular Dynamic DNS companies out there?

I'm seeing quite a few of the budget type 'Broadband Routers' supporting this already (so far all are only supporting DynDNS) so it can't be a lot of code to add...

Anyways...I have a horrible hack-like solution already, but something more elegant would be nice ;)

I know exactly what you mean ... even in the ddns update script that we wrote we could not specify the mail server by name, we have to hard code the IP address of the sending SMTP server. I know that the the routeros can resolve names so it should be easy to add ... and i tried parsing it using a script but could not get it working. Ie, ping host.domain.tld -> then grab the resolved IP and use it in a variable.

We're not talking about doing reverse DNS lookups on log entries, etc - just specifying a hostname to use on outbound connections to vpns, mail servers, etc. I think I posted this request a few months back already.

Sam

OK, finally I'll join this feature request alliance ...

i would like to see this feature too which should be quite easy to implement .

I also believe this would be a great feature in a growing world of non-ip based servers / clients. Can really be usefull for VPN.

have you tried to enter a DNS name and, before accepting this, press Tab button? Maybe this is what you're looking and waiting for.

Edgars

have you tried to enter a DNS name and, before accepting this, press Tab button?

i tried this of course. all i got is an error, stating a non zero ip-address is needed. tried with pptp and ip-tunnel.

regards.
  matthias

Doesn't it say you something?

Code: Select all

:put [:resolve www.example.com]

Doesn't it say you something? :)

i am not sure. does it mean i can resolve a dns name in a script? does it mean too, i could configure dns-name-based vpn-connections only by scripting? (or can i put the command into the ip-address field?)

thx.
  matthias

1) Certainly, yes.
2)

i tried a simple VPN (using PPTP) with DNS-name instead of ip-address, but afaik it cant't not work this way.

this is the running configuration: then i tried with dns-name:
as one can see, the resolve-command just puts the current ip-address into the config-line. this does not solve the problem, as the address will change many times a day and has to be resolved every time the connection activates.

i could see a work-around by writing a scheduler, checking for the current ip-address and changing the config if necessary. this might work with a few vpn-connections but with tens or hundreds it adds way to much complexity just to work around the simple direct usage of dns-name in the configuration. (many cheap routers can do this already).

thx.
   matthias

[/code]

of course this is a cheap workaround and mikrotik will work on a solution in upcoming versions

of course this is a cheap workaround and mikrotik will work on a solution in upcoming versions

thanks, that sounds good to me!

   matthias

Mag,

how did you try it with Tab button? Maybe DND settings are incorrect in your router. Try, for example:

/ip address add address=www.example.com<press Tab now>

the line will be substituded with:

/ip address add address=1.1.1.1/

where 1.1.1.1 is IP of http://www.example.com in this example.

Edgars

I can confirm this is working on the console - at least, if you have configured DNS servers under "/ip dns" (of course)...

edzix - you don't get the idea. the ip address changes all the time, your TAB solution doesn't work here. you will have to change the rule all the time by yourself.

we will make a solution where the DNS names will be resolved within some intervals, configured in DNS Settings or somewhere else.

problem could be with dns names that resolve to multiple IP's, but I hope people will use this for services like no-ip.com and not enter yahoo.com (which really does resolve to multiple ip's).

how did you try it with Tab button? Maybe DND settings are incorrect in your router. Try, for example:

you are right, i tried the winbox, terminal is of course working.

but the problem is still (as written before) that the ip-address is changing on an irregular basis.

thx.
   matthias

OK, so everyone is agreeing what the problem is and Normunds said they'll fix it (or better: add this feature).

Looks like we could start asking when this will become available ...
Any chance for 2.9?

not funny maybe 2.9 some beta. i can't promise because we just agreed that there exists this problem, i still can't confirm 100% that this will make it into routeros. it depends on how hard it is to make etc. we'll see

Normunds, take it easy ...
From my side it would be a welcome addition, but is not that important in our current setups...

Yes most operating systems allow this, and it's a nice feature,

.. but what about current generation commercial routers (Cisco etc) -
Do they offer this feature?

I guess I'm asking is such a feature "ahead" or "catching up with" current commercial routers. It always helps when talking to customers to have a long list of advantages

Regards

Stephen