MikroTik

Hello!

This is a DNS Server related issue. Thanks for any help:)

Problem:
I have a web server named http://www.local.net on the LAN. I have entered a static dns entry for this server into /ip dns static. I am accessing http://www.local.net from a PC that is also on the LAN. When the Internet is connected, the server can deliver the pages in less than a second at 0.43s. However, when I disconnect the Internet (WAN) connection the same page request takes 10.43s to complete. The problem goes away the moment that I set /ip dns allow-remote-requests=no.

Why is ROS relying on the Internet connection to direct me to a static local server address?
Am I doing something wrong?

Here is my configuration and testing results:
factory-firmware: 3.24
No Internet connection.

/ip dns static
http://www.local.net 192.168.1.100 1w

/ip dns:
allow-remote-requests: yes
query-server-timeout: 2s
query-total-timeout: 10s
Result: Elapsed time to load page: 10.43s

/ip dns:
allow-remote-requests: yes
query-server-timeout: 2s
query-total-timeout: 3s
Result: Elapsed time to load page: 6.43s

/ip dns:
allow-remote-requests: no
Result: Elapsed time to load page: 0.43s

This is probably due to the client appending the dns search domain to the hostname.

If i lookup www.local.net, my client requests the following names (search domain = home.local):
- www.local.net.home.local
- www.local.net

You could create another static entry for www.local.net.[searchdomain] or, what I did, block all outgoing requests using L7 (forward and reverse):

Thanks for the help, unfortunately that has not solved my issue. I tried adding local.net to the static address and also the layer7 suggestion. The problem as originally described still stands. I should note that I have tried on several PC's and a MacBook all with the firewalls and virus protection turned OFF. Here is some more information:

Results:

nslookup http://www.local.net

DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.1
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
Non-authoritative answer:
Name: http://www.local.net
Address: 192.168.1.10

Routerlog shows the DNS request being accepted on the INPUT chain:
00:50:27 firewall,info input: in:lan_bridge1(ether3) out:(none), mac, proto UDP, 192.168.1.15:40654->192.168.1.1:53, len 71
00:50:27 firewall,info input: in:lan_bridge1(ether3) out:(none), mac, proto UDP, 192.168.1.15:40654->192.168.1.1:53, len 71

/ip dns static
0 name="www.local.net" address=192.168.1.10 ttl=1d
1 name="www.local.net.local.net" address=192.168.1.10 ttl=1d

/ip dhcp-server network
address=192.168.1.0/24 gateway=192.168.1.1 dns-server=192.168.1.1 wins-server="" ntp-server="" caps-manager="" domain="local.net" dhcp-option=""

/ip firewall filter
3 chain=input action=accept protocol=tcp dst-port=53 log=yes
4 chain=input action=accept protocol=udp dst-port=53 log=yes
0 chain=output action=reject reject-with=icmp-network-unreachable protocol=udp layer7-protocol=local.net dst-port=53 log=yes log-prefix="lan reject"

/ip firewall layer7-protocol
0 name="local.net" regexp="\x04local\x05net|\x0288\x03168\x03192\x07in-addr\x04arpa"

Can anyone reproduce my original post? I am wondering if this is a ROS issue?

L7 doesn't match.

regexp="\x04local\x05net|\x0288\x03168\x03192\x07in-addr\x04arpa"

should be:
(note the \x05 before local and \x03 before net)

You could also skip everyhing after \x03net, I just use it to suppress forwarding local reverse name lookups.
Source: http://forum.mikrotik.com/viewtopic.php?t=88749

\x05 = length of the following hostname part, that's how names are encoded in dns packets

domain.com => regexp="\\x06domain\\x03com"
domain.info => regexp="\\x06domain\\x04info"
test.com => regexp="\\x04test\\x03com"
domain.local => regexp="\\x06domain\\x05local"
sub.domain.test => regexp="\\x03\\x06domain\\x04test"

The trailing \\x01\\x01, to filter out false positives (as suggested by psamsig), looks like a good idea, but the first \\x01 is actually query type, so it will match A record queries only. To match all record types, this should work (but I can't test it now):

domain.com => regexp="\\x06domain\\x03com.\\x01"

First, one obvious problem, if you want to filter hostnames with appended .local.net, it will also match (and block) www.local.net.

But I think the problem might be elsewhere. There seems to be one small but important difference between using nslookup and normal DNS resolution. If you open www.example.net in browser or ping it, then (if it's not already cached) system sends two queries to resolver:

www.example.net A (IPv4 address)
www.example.net AAAA (IPv6 address)

But if you run "nslookup www.example.net", it sends (in this order, so that's where your two timeouts come from):

www.example.net.<localdomain> A
www.example.net.<localdomain> AAAA
www.example.net A
www.example.net AAAA

Where <localdomain> is in your case "local.net". In other words, by using nslookup, you're not testing what happens when you open www.local.net in browser. So you don't really need to block .local.net, which is good news.

So what does happen? I believe that problem might be server doing reverse lookup of client's address. You're blocking that too (with \x0288\x03168\x03192\x07in-addr\x04arpa), but it looks like reject-with=icmp-network-unreachable does not do the trick. You need to use reject-with=icmp-port-unreachable to make resolution fail immediately.

If it still doesn't help, packet sniffer is your friend.

Edit: One more problem, regexp for blocking PTRs is for 192.168.88.x network, so it can't block anything in your case. Just shorten it to \x03168\x03192\x07in-addr\x04arpa.

Thanks for the explanation and help.

I just got the last reply while about to reply with the below info, so I will send this anyway and still look into the new information.

I am not seeing anything in the OUTPUT chain while the Internet is disconnected.
I only see the OUTPUT chain when the Internet is connected.

Here are the results:

Setup:
/ip dns
servers: 8.8.8.8,8.8.4.4
dynamic-servers:
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 10s
query-total-timeout: 3s
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 82KiB

/ip firewall filter
chain=output action=log protocol=udp dst-port=53 log=no log-prefix="(53)"
chain=output action=log protocol=tcp dst-port=53 log=no log-prefix="(53)"
chain=output action=reject reject-with=icmp-network-unreachable protocol=udp layer7-protocol=local.net dst-port=53 log=yes log-prefix="(53 reject)"

When the internet is Disconnected, this is what I see:
17:17:42 firewall,info (53) input: in:lan_bridge1(ether3) out:(none), src-mac mac, proto UDP, 192.168.1.15:42753->192.168.1.1:53, len 71
17:17:42 firewall,info (53) input: in:lan_bridge1(ether3) out:(none), src-mac mac, proto UDP, 192.168.1.15:39263->192.168.1.1:53, len 71

Then, when I reconnect the Internet I see all these DNS Requests leave the router:
17:17:48 firewall,info (53) output: in:(none) out:ether1, proto UDP, wan:53826->8.8.4.4:53, len 74
17:17:48 firewall,info (53) output: in:(none) out:ether1, proto UDP, wan:49047->8.8.4.4:53, len 74
17:17:48 firewall,info (53) output: in:(none) out:ether1, proto UDP, wan:36523->8.8.4.4:53, len 74
17:17:48 firewall,info (53) output: in:(none) out:ether1, proto UDP, wan:53144->8.8.4.4:53, len 74
17:17:48 firewall,info (53) output: in:(none) out:ether1, proto UDP, wan:53066->8.8.4.4:53, len 74
17:17:48 firewall,info (53) output: in:(none) out:ether1, proto UDP, wan:49904->8.8.4.4:53, len 74
17:17:48 firewall,info (53) output: in:(none) out:ether1, proto UDP, wan:49658->8.8.4.4:53, len 74
17:17:48 firewall,info (53) output: in:(none) out:ether1, proto UDP, wan:48333->8.8.4.4:53, len 74

Then, with the Internet connected, I send a DNS request to the router:
17:26:14 firewall,info (53) input: in:lan_bridge1(ether3) out:(none), src-mac mac, proto UDP, 192.168.1.15:55569->192.168.1.1:53, len 71
17:26:14 firewall,info (53) output: in:(none) out:ether1, proto UDP, wan:52869->8.8.8.8:53, len 71
17:26:14 firewall,info (53) input: in:lan_bridge1(ether3) out:(none), src-mac mac, proto UDP, 192.168.1.15:55570->192.168.1.1:53, len 78
17:26:14 firewall,info (53) input: in:lan_bridge1(ether3) out:(none), src-mac mac, proto UDP, 192.168.1.15:55571->192.168.1.1:53, len 78

Oops, I missed that one, that's one more problem, you want your L7 blocking in input chain.

Thanks! I made the changes to the regexp and layer7 is working now, but there is still no speed improvement.

Here are the results:

Setup:
/ip firewall filter
chain=output action=reject reject-with=icmp-port-unreachable protocol=udp layer7-protocol=local.net dst-port=53 log=yes log-prefix="(53 reject)"
/ip firewall layer7-protocol
add name=local.net regexp="\\x05local\\x03net|\\x03168\\x03192\\x07in-addr\\x04arpa"

Without Internet connected:
18:36:27 firewall,info (53) input: in:lan_bridge1(ether3) out:(none), src-mac mac, proto UDP, 192.168.1.15:57411->192.168.1.1:53, len 78
18:36:27 firewall,info (53) input: in:lan_bridge1(ether3) out:(none), src-mac mac, proto UDP, 192.168.1.15:57412->192.168.1.1:53, len 78

When I reconnect the Internet:
18:38:05 firewall,info (53 reject) output: in:(none) out:ether1, proto UDP, wan:37006->8.8.4.4:53, len 63
18:38:05 firewall,info (53 reject) output: in:(none) out:ether1, proto UDP, wan:36569->8.8.8.8:53, len 63
18:38:05 firewall,info (53 reject) output: in:(none) out:ether1, proto UDP, wan:49275->8.8.4.4:53, len 63
18:38:05 firewall,info (53 reject) output: in:(none) out:ether1, proto UDP, wan:55358->8.8.8.8:53, len 63
18:38:05 firewall,info (53 reject) output: in:(none) out:ether1, proto UDP, wan:46756->8.8.4.4:53, len 63

nslookup with the Internet connected:
18:40:21 firewall,info (53) input: in:lan_bridge1(ether3) out:(none), src-mac mac, proto UDP, 192.168.1.15:64551->192.168.1.1:53, len 71
18:40:21 firewall,info (53 reject) output: in:(none) out:ether1, proto UDP, wan:59820->8.8.8.8:53, len 71

Ok, I will try on the Input chain.

Don't forget to remove local.net from regexp.

It works!

When the Internet is disconnected and I browse to http://www.local.net, the site stumbles at first because it's looking for one remote javascript lib that's not being served locally (this is my issue) and then everything else loads lightning fast. Then, when I connect the Internet everything loads as it should.

Results of nslookup:
nslookup http://www.local.net
Server: UnKnown
Address: 192.168.1.1
*** UnKnown can't find http://www.local.net: No response from server

Question:
Do I only need to have a dns policy on Input for UDP?
I read this on google: "A client computer will always send a DNS Query using UDP Protocol over Port 53. If a client computer does not get response from a DNS Server, it must re-transmit the DNS Query using the TCP after 3-5 seconds of interval."

To tell the truth, I don't know about this fallback from udp to tcp in case of no response. When I'm trying to test if it actually happens, so far it does not (testing with Windows 7).

You can block tcp too and worst case, it won't get used. But tcp is different, you can't just pretend that server is not there, like with udp. Because to see the question, you need to let the connection establish first. You can then close it (reject with tcp-reset), but i don't know what the client will think about it.