MikroTik

Hello.

My situation:

I have a script, wich checks my entries (dns names) in my firewall access list and rewrites the checked ip.
this script runs everty 60 sec.

My question:

is it nessesary to do this?
is there not a check in routeros inside, which checks for example TTL and corrects the new ip automatically in the access list?

thx - regards

You mean address lists...
There is a TTL value for every DNS name in the routers DNS cache.
However this has nothing to do with the firewall...If an address is added to an address list then its your concern if that address must stay there or should be removed...

It wasn't supported in the past, but for some time now (few years I guess) it's possible to add hostnames in address list and RouterOS will automatically resolve them, watch for TTL and keep addresses updated. The only change is if you currently use src/src-address, you'd need to replace it with src/dst-address-list and add the list with hostname.

@sob exactly, it will resolve the host name...
So for example if the hostname is name.local which resolves to 1.2.3.4 and i add that entry to an address list, this means that 1.2.3.4 is in the list....
If name.local changes to 5.6.7.8 then it will be added to the list as well... so my list will have both 1.2.3.4 and 5.6.7.8... or even if it is not added, my list will have an address that no more corresponds to the same host name...
I think what @mali2003 wants is a script that would delete the 1.2.3.4 and replace it with the 5.6.7.8

Edit: From a quick search it seems that if you add a dns name as an address then the dns name it self is added to the list without actually being resolved, so if that actually happens no need to worry about anything since it will be updated without the need of any script...

Thx very much.
My question is solved now.
I do not need a script to delete entries, just update them and be sure there are always correct dns names corresponding to there is address.

Is the address in the address list resolved or you can see that actual dns name inside the list ?
Havent tested that yet...

You can see the name (that's what is saved in config) and you can also see resolved address(es), which happens automatically at startup or when you add the item. Addresses are valid until record's TTL expires and then they are resolved again.

You can see the name (that's what is saved in config) and you can also see resolved address(es), which happens automatically at startup or when you add the item. Addresses are valid until record's TTL expires and then they are resolved again.

Thx, thats the way i expected it suposed to be.
Now i know again why my Script was nessesary some time ago, as u described some posts ago, that this feature was not in previeus Firmware implemented.

Gesendet von meinem MI 8 Lite mit Tapatalk

You can see the name (that's what is saved in config) and you can also see resolved address(es), which happens automatically at startup or when you add the item. Addresses are valid until record's TTL expires and then they are resolved again.

@sob you make it more confusing to me. My question was, if i add a dst address to an address list and that dst adress is a domain name then in the address list i will see the domain name or the IP the domain name resolves to?
The way you explain it is like i will see both...
Anyways, didint have time to test is today...

Let's put it like this, this is real config:
So router saves "forum.mikrotik.com". But you'll see both this and dynamic 159.148.147.205, which the hostname currently resolves to. After TTL expires, it will be resolved again and if the address changes, the old one will disappear and list will contain the new one.

@sob, i did as you said and yes i could see the real IP for forum.mikrotik.com...
Then i did flush the cache of the DNS, added a static dns entry for forum.mikrotik.com to another IP...
Nothing changed, no IP was renewed... inside the address list i was still seeing the previous IP...
Although ofcorse when i did ping forum.mikrotik.com i was correctly getting reply from the IP i manually added...
The DNS cache was showing the correct IP i manually added but again no change inside the address list..!
So i dont think it works the way you say it does...!

I'd say it's meant mainly to keep up with changes done outside of router. So there's a hostname you don't control, you add it in address list and if its target address changes, router will update it, after TTL of record in address list expires. Yours can be viewed as a special case, but it still works like this, apparently it doesn't get any special handling. When you added forum.mikrotik.com to address list, its TTL was X seconds. Then when you added new static DNS entry, address list doesn't care, because the address it has is still valid for "X minus how long it took you to add static entry" seconds. If you wait for that long, it will be correctly updated.

Then when you added new static DNS entry, address list doesn't care, because the address it has is still valid for "X minus how long it took you to add static entry" seconds. If you wait for that long, it will be correctly updated.

What do you mean ? There was no TTL value inside the address list...
Also my static dns had TTL changed to 1 minute.. after that 1 minute although i deleted the static entry, the address list was never updated to the real IP... it continued showing the previous IP.

TTL in address list is internal thing, you don't see it.

So when you first addded forum.mikrotik.com, address list resolved it (using local resolver) and stored the result with whatever TTL was in local DNS cache (or what came from upstream resolver if it wasn't in local cache before). Default TTL for forum.mikrotik.com set on authoritative server is currently two hours, so your record had TTL anywhere between zero and that, depending on where and how long it was already cached. Let's say it was full two hours. It means that you or anyone else can do whatever you want with forum.mikrotik.com, authoritative server can assign different address, you can add local override in IP->DNS, but address list doesn't care, it has address valid for two hours and only after that time it will try to resolve forum.mikrotik.com again.

What about when i did the opossite ? First tested with the static entry that had TTL to 1 minute ?
After that 1 minute i never saw the real IP in the address list.

Works here too. I added static record for forum.mikrotik.com pointing to 127.0.0.1 with one minute TTL. Then I added forum.mikrotik.com to address list and it got address 127.0.0.1. I disabled static record and it didn't affect address list right away (as expected). But after a minute it expired and address in list changed to real one from public DNS.

Works here too. I added static record for forum.mikrotik.com pointing to 127.0.0.1 with one minute TTL. Then I added forum.mikrotik.com to address list and it got address 127.0.0.1. I disabled static record and it didn't affect address list right away (as expected). But after a minute it expired and address in list changed to real one from public DNS.

Ok i ll check it again tomorrow...

Edit: Tested again and it works...i guess i missed something the previous time i tested...