Page 1 of 1
DNS Servers / secondary before primary ?
Posted: Mon Apr 03, 2017 10:03 pm
by stefanj
Hey folk,
I would like to use mikrotik as dns server for my network.
The DNS server is configured with 2 remote DNS servers.
10.21.1.1 is the primary DNS Server behind a site-to-site IPSec Tunnel.
192.168.0.2 is secondary DNS Server. I would like to use this DNS Server as fallback when VPN-tunnel is down (not accessible).
But sometimes mikrotik useses the secondary DNS server before primary DNS server.
Is this a bug?
Screen Shot 2017-04-03 at 20.41.00.png
How can i solve my use case?
Best
Stefan
Re: DNS Servers / secondary before primary ?
Posted: Mon Apr 03, 2017 10:17 pm
by ZeroByte
DNS doesn't behave that way - at least not in the spec. When you give a list of resolvers, then a DNS client may (and usually will) float between both of them at random. It's considered to be a load sharing mechanism.
Re: DNS Servers / secondary before primary ?
Posted: Tue Apr 04, 2017 10:07 pm
by stefanj
Thanks for your help.
Do you have an idea to fulfill my usecase?
Or do you know a way to sync static dns entries between 2 mikrotik routers?
Re: DNS Servers / secondary before primary ?
Posted: Wed Apr 05, 2017 2:56 am
by juliokato
Timeout from the primary dns then the request is made for the secondary dns.
With sniffer I have seen some android devices performing concurrent queries for all DNS at the same time and the secondary server responds faster.
Re: DNS Servers / secondary before primary ?
Posted: Thu Apr 13, 2017 9:14 pm
by ZeroByte
Thanks for your help.
Do you have an idea to fulfill my usecase?
Or do you know a way to sync static dns entries between 2 mikrotik routers?
No - because the Mikrotik resolver is intended to be a simple caching proxy resolver. Some people use it as a light-weight authoritative DNS server, but it really isn't built for that job. (I wish it would add static entries for DHCP clients, especially in an IPv6 world)
The static host name feature exists so that you can place a few strategic entries, especially for captive portals. It works okay even with a decent list of static host names, but don't lose sight of the fact that this is NOT a DNS server - just a caching proxy. If you want to keep two of them synchronized, then you need to add the data to both of them separately. There is no mechanism in ROS for automatic sync. Again, it's not an actual DNS server.
Re: DNS Servers / secondary before primary ?
Posted: Thu Apr 13, 2017 9:36 pm
by nescafe2002
You could use a L7 rule to dstnat your '.office' requests to the remote DNS server (google for Mikrotik Layer 7 conditional DNS forwarding).
Alternatively add a netwatch entry on the secondary DNS server with an up/down script:
/tool netwatch
add host=192.168.0.2 \
up-script="/ip dns set servers=192.168.0.2" \
down-script="/ip dns set servers=10.21.1.1"
Re: DNS Servers / secondary before primary ?
Posted: Thu Sep 06, 2018 9:45 am
by luddite
This would be perfect for my branch office with an IPSEC vpn, except I cant get the router itself to route packets over the VPN so the script always things host is down, anyone have some clues how to do that, tried a mangle rule but no luck.
(that layer7 solution mentioned suffers same limitation)
Thanks.
You could use a L7 rule to dstnat your '.office' requests to the remote DNS server (google for Mikrotik Layer 7 conditional DNS forwarding).
Alternatively add a netwatch entry on the secondary DNS server with an up/down script:
/tool netwatch
add host=192.168.0.2 \
up-script="/ip dns set servers=192.168.0.2" \
down-script="/ip dns set servers=10.21.1.1"
Re: DNS Servers / secondary before primary ?
Posted: Thu Sep 06, 2018 4:07 pm
by nescafe2002
According to default route, your router will pick the WAN address as source address for pings. This will not be picked up by ipsec policy matcher.
By adding a simple route for remote subnet to LAN, router will choose LAN address as source and the packet will match ipsec policy.
/ip route
dst-address=192.168.0.0/24 gateway=bridge-lan
Replace 192.168.0.0/24 with remote subnet and bridge-lan with your lan interface/bridge name.
This will not fix your L7 problem as locally initiated connections will never be dstnatted and connections from LAN already have the correct source address. You may post your L7 solution for further review (with network overview and expected behavior).
Re: DNS Servers / secondary before primary ?
Posted: Fri Sep 07, 2018 3:25 am
by luddite
Excellent idea.
Didnt work for some reason, I am just cleaning up export to post.
Many thanks.
According to default route, your router will pick the WAN address as source address for pings. This will not be picked up by ipsec policy matcher.
By adding a simple route for remote subnet to LAN, router will choose LAN address as source and the packet will match ipsec policy.
/ip route
dst-address=192.168.0.0/24 gateway=bridge-lan
Replace 192.168.0.0/24 with remote subnet and bridge-lan with your lan interface/bridge name.
This will not fix your L7 problem as locally initiated connections will never be dstnatted and connections from LAN already have the correct source address. You may post your L7 solution for further review (with network overview and expected behavior).
Re: DNS Servers / secondary before primary ?
Posted: Fri Sep 07, 2018 10:28 am
by luddite
# model = 951Ui-2HnD
/interface bridge
add arp=proxy-arp auto-mac=no fast-forward=no mtu=1500 name=bridge-local
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=wlan2
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether5-slave-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local speed=1Gbps
set [ find default-name=ether3 ] name=ether3-slave-local
set [ find default-name=ether4 ] name=ether4-slave-local
set [ find default-name=ether5 ] name=ether5-slave-local
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway keepalive-timeout=60 max-mru=1400 max-mtu=1400 name=pppoe-out1
/ip address
add address=10.1.1.1/24 interface=bridge-local network=10.1.1.0
/ip dhcp-server
add add-arp=yes address-pool=pool1 authoritative=after-2sec-delay disabled=no interface=bridge-local lease-time=1d name=default
/ip dhcp-server network
add address=10.1.1.0/24 dns-server=8.8.8.8 gateway=10.1.1.1
/ip pool
add name=pool1 ranges=10.1.1.100-10.1.1.200
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=pppoe-out1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=input dst-port=500 protocol=udp src-port=500
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=output protocol=ipsec-esp
add action=accept chain=input comment="Allow limited pings" disabled=yes limit=50/5s,2:packet log=yes log-prefix=icmp- protocol=\
icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established
add action=accept chain=input comment="default configuration" connection-state=related
add action=accept chain=forward comment="default configuration" connection-state=established
add action=accept chain=forward comment="default configuration" connection-state=related
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=\
22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=10s chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=10s chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=input comment="default configuration" in-interface=pppoe-out1
/ip firewall mangle
add action=passthrough chain=output disabled=yes dst-address=192.168.0.0/24
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=10.1.1.0/24
add action=masquerade chain=srcnat comment="default configuration" out-interface=pppoe-out1
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.0.0/24 src-address=10.1.1.0/24
add action=notrack chain=prerouting dst-address=10.1.1.0/24 src-address=192.168.0.0/24
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=aes-128-cbc pfs-group=none
add enc-algorithms=3des lifetime=1d name=proposal1 pfs-group=modp1536
/ip ipsec peer
add address=peer.add.re.ss/32 dh-group=modp1536 enc-algorithm=3des exchange-mode=ike2
/ip ipsec policy
add dst-address=192.168.0.0/24 proposal=proposal1 sa-dst-address=peer.add.re.ss sa-src-address=src.add.re.ss src-address=10.1.1.0/24 \
tunnel=yes
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=bridge-local
/tool netwatch
add down-script="/ip dns set servers=8.8.8.8" host=192.168.0.5 up-script="/ip dns set servers=192.168.0.5"
Re: DNS Servers / secondary before primary ?
Posted: Fri Sep 07, 2018 10:43 am
by nescafe2002
You are notracking your ipsec traffic, but not allowing them in filter. Established/related traffic will no pick up traffic because of notrack.
Either add an allow for ipsec-policy=in or remove the notrack rules to enable connection tracking for ipsec traffic.
Also add a default drop rule on in-interface=pppoe-out1 in forward chain for security reasons.
Re: DNS Servers / secondary before primary ?
Posted: Fri Sep 07, 2018 10:44 am
by luddite
You da man
