MikroTik

Hi there, i'm a benigner in Mikrotik RouterOS, so sorry if I type something wrong...
How do I configure 2 DNS addresses from 2 different ISPs to work in redundancy?
I want to let one active, and all incoming connections pass trough it. If this one fail to respond, than the second DNS address take the control.

Thanks a lot!!!

For the Mikrotik's own DNS requests, go into the IP > DNS configuration, and specify whatever servers you wish to use. Some services such as dhcp client and pppoe client will automatically add DNS server addresses they may learn. You can disable this on both client types if you wish to just always use certain static servers.

The primary / backup behavior is automatic. If requests to one server do not receive any replies, or get rejected by one host, then the Mikrotik will try the other server.

As for hosts on the LAN, you can handle this in several ways:
1 - specify the dns servers in the DHCP scope
2 - specify the Mikrotik itself as the DNS server in the DHCP scope
3 - configure the Mikrotik to transparently redirect DNS requests to itself

Option 1 is the most normal - the servers specified in DHCP will be used by all DHCP clients.
Options 2 and 3 require that you enable the "Allow remote requests" option in the IP > DNS configuration.
NOTE:::
If you enable remote requests, MAKE 100% ABSOLUTELY CERTAIN that your firewall rules do not allow DNS requests to be accepted from the WAN interface, or your router WILL WITHOUT FAIL be discovered as an open DNS relay and then used as a reflector in DNS-AMP attacks. (a type of DDoS attack)

You can test whether your router is accepting remote DNS requests from the Internet by using a self-test website such as http://openresolver.com/

Other situation.
I have my own local DNS sever (BIND9). It is resolve only local names.  But I want use internet too.
If I will set google DNS in IP-DNS-Server first, I cannot resolve local names. If I will set my own DNS server first, I cannot surf inet.
How can I solve this&

Simple. First put Google DNS in router's config in /ip dns, then give router's address to clients as DNS server.

Then write to MikroTik support and ask them nicely to finally implement an ancient feature request from this thread: Feature request: per-domain forwarding in DNS. Wait a little (month, year, five years, ...) and when it's done, simply add rule to router, to send all requests for <whatever-your-local-domain-is> to your local DNS server.

Or if you need it sooner, use L7 hack described in same thread. Not an elegant solution, but it works.

Much easier is to make your local bind9 server work as a resolver as well, by setting stuff like this:

forward first;
forwarders { 8.8.8.8; 8.8.4.4; };

Then set your internal systems DNS to your internal server, or put (only) the address of your internal
server in the MikroTik and make that the DNS for your internal systems.  Or both.

What I don't like about this solution is that it creates an additional single point of failure. Take a small network with only one internal DNS server. You can't even reboot the machine, because it will leave users without internet access for a while (internet itself will work, but it's no fun without DNS).

Simple. First put Google DNS in router's config in /ip dns, then give router's address to clients as DNS server.

Then write to MikroTik support and ask them nicely to finally implement an ancient feature request from this thread: Feature request: per-domain forwarding in DNS. Wait a little (month, year, five years, ...) and when it's done, simply add rule to router, to send all requests for <whatever-your-local-domain-is> to your local DNS server.

Or if you need it sooner, use L7 hack described in same thread. Not an elegant solution, but it works.

About L7 hack:
what is the regexp need to resolve domain:

• mail.groupe1.local
• site.groupe1.local
• mail.group2.local
• post.group2.local
• wiki.local
• etc - ending ".local"

DNS packets use simple encoding where before each name part is a byte with value equal to length of the following part, like this:

mail.groupe1.local = \x04mail\x07groupe1\x05local

To filter out false positives, append .\x01 at the end:

.local = \x05local.\x01

Otherwise it would also match e.g. local.example.net.

DNS packets use simple encoding where before each name part is a byte with value equal to length of the following part, like this:

mail.groupe1.local = \x04mail\x07groupe1\x05local

To filter out false positives, append .\x01 at the end:

.local = \x05local.\x01

Otherwise it would also match e.g. local.example.net.

What about  (.*)local ?

Is it supposed to be top level domain? And is it really what it appears to be, i.e. regexp for <anything>istar (aistar, bistar, abcdistar, ...)? If it's TLD, then use simple:

istar.\x01

It might give you some false positives, e.g. istarx.y.example.net, but it should not be too bad.

Is it supposed to be top level domain? And is it really what it appears to be, i.e. regexp for <anything>istar (aistar, bistar, abcdistar, ...)? If it's TLD, then use simple:

istar.\x01

It might give you some false positives, e.g. istarx.y.example.net, but it should not be too bad.

Need only anythink.local.
And anythink may be: mail.subdomail1.local, ftp.sub2.local, test.local ...
Thanks

Add:
What does it means - \x01 ??

For anything.local, you want:

\x05local.\x01

When you send a question for e.g. ftp.sub2.local, the packet will contain: Where:
- xx is null byte marking end of name
- yy yy are two bytes for question type
- zz zz are two bytes for question class

RouterOS skips all null bytes before trying to do L7 matching, which is a little complication. Fortunately, nearly all question types have values lower than 256, so they will use only one non-null byte (matched by ".") and class is for all practical uses always 1 (matched by "\x01").
This prevents false positives (e.g. for local.example.net), because following part would again need one byte for length (it could be matched by "."), but there's no way how next character could be \x01.

For anything.local, you want:

\x05local.\x01

When you send a question for e.g. ftp.sub2.local, the packet will contain:

Code: Select all

03 66 74 70 04 73 75 62 32 05 6c 6f 63 61 6c 00 00 01 00 01
   f  t  p     s  u  b  2     l  o  c  a  l  xx yy yy zz zz
                           |-> match from here

Where:
- xx is null byte marking end of name
- yy yy are two bytes for question type
- zz zz are two bytes for question class

RouterOS skips all null bytes before trying to do L7 matching, which is a little complication. Fortunately, nearly all question types have values lower than 256, so they will use only one non-null byte (matched by ".") and class is for all practical uses always 1 (matched by "\x01").
This prevents false positives (e.g. for local.example.net), because following part would again need one byte for length (it could be matched by "."), but there's no way how next character could be \x01.

Not work for me. Because I have static dns records, likes *.local.org.ua

Add:
But I use only NAT, without mangle
add action=dst-nat chain=dstnat dst-address=192.168.88.1 dst-port=53 layer7-protocol=local log-prefix="" protocol=udp to-addresses=192.168.11.1 to-ports=53

add action=dst-nat chain=dstnat dst-address=192.168.88.1 dst-port=53 layer7-protocol=local log-prefix="" protocol=tcp to-addresses=192.168.11.1 to-ports=53

L7 - \x05local.\x01

 is it enought?

Honestly, it would be much easier for you to just enable recursive DNS lookups in your BIND server and point your clients at that server and have done.

Like pe1chl said:

forwarders { 8.8.8.8; 8.8.4.4; };

The server will already have the behavior you require - answer with stuff it knows authoritatively, and go find out anything else. If your server dies and you need to quickly get everyone working, you could just add the server's IP to your router's LAN interface and the router would start answering DNS queries, and just ignoring requests for any of the other services that the server was providing.

Honestly, it would be much easier for you to just enable recursive DNS lookups in your BIND server and point your clients at that server and have done.

Like pe1chl said:

forwarders { 8.8.8.8; 8.8.4.4; };

The server will already have the behavior you require - answer with stuff it knows authoritatively, and go find out anything else. If your server dies and you need to quickly get everyone working, you could just add the server's IP to your router's LAN interface and the router would start answering DNS queries, and just ignoring requests for any of the other services that the server was providing.

i cannot do this. bind is only for local resorses.
thanks

Not work for me. Because I have static dns records, likes *.local.org.ua

So you don't have <something>.local? For <something>.local.org.ua you'd need:

\x05local\x03org\x02ua.\x01

Or are you trying to tell me something else?