MikroTik

Hello,

Friends. I am using AdGuard DNS running in Docker on my own Mikrotik AX3 Router to filter DNS. It works fine as long as the devices have AdGuard DNS configured, but if I place an explicit DNS example 8.8.8.8.8, the machine stops resolving DNS, the idea is that if the user places X DNS, the forwarding rules redirect those queries to AdGuard and the machine believes that 8.8.8.8.8 was the one who resolved and be transparent.

Note: I have seen many questions and answers of this type but I see that none solves what I want, maybe it is not possible but I really have already done everything in my power and I have not been able to solve what I said.

So here I leave part of my configuration to see if you can orient yourself and please give me some idea how to do it or why it is not working.

AdGuard DNS IP: 10.0.0.1
Version: v0.107.32

/interface bridge
add comment=BR-DOCKERS name=BR-DOCKERS

/interface bridge port
add bridge=BR-DOCKERS comment=VETH1-DOCKERS interface=VETH1-DOCKERS

/ip address
add address=10.0.0.2/24 comment=BR-DOCKERS interface=BR-DOCKERS network=10.0.0.0

/interface veth
add address=10.0.0.1/24 comment=VETH1-DOCKERS gateway=10.0.0.2 name=VETH1-DOCKERS

/ip firewall nat
add action=dst-nat chain=dstnat comment="ADGUARD DNS" dst-port=53 in-interface-list=!WAN protocol=udp src-address=!10.0.0.1 to-addresses=10.0.0.1 to-ports=53
add action=dst-nat chain=dstnat comment="ADGUARD DNS" dst-port=53 in-interface-list=!WAN protocol=tcp src-address=!10.0.0.1 to-addresses=10.0.0.1 to-ports=53

/interface list
add name=WAN

/interface list member
add comment=ISP interface=ether1 list=WAN

I have consulted a lot on the internet and nothing.This question is the one that most closely resembles what I want to know. This question is the closest to what I want, but it doesn't work.

viewtopic.php?t=190919&sid=f72a273a32fe ... 84600a3fd6

Greetings and excuse my English which is not my native language. Thank you very much...

Also post config
/export file=anynameyouwish (minus router serial number, any public WANIP information)

Also post config
/export file=anynameyouwish (minus router serial number, any public WANIP information)

Hello,

Thank you for your reply. Please find attached the requested information

Note: I have replaced the public IP's, MAC and Tunnel Name by X

Thank you very much

Assuming you have done the VETH bit part correctly.
Lets look at the facts.

a. The Veth adguard still needs a DNS path to get to its cloud encrypted servers. In case there is any other requirement for DNS as well......

INPUT CHAIN - ensure in-interface-list=LAN has DNS access tcp/udp

Either as per default rules.
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else" *****

Or as per modified to drop all else.
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN src-address-list=Admin
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ {and NTP *** services if required etc}
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"

b. We still need to allow DNS Server and remote access for VETH adguard.
Server=8.8.8.8
Allow remote-requests=YES

c. The rest of the subnets including the users on the same subnet as potentially the veth should use adguard for DNS.

add chain=dst-nat in-interface-list=LAN src-address-list=!excluded dst-port=53 protocol=tcp to-address=10.0.0.10
add chain=dst-nat in-interface-list=LAN src-address-list=!excluded dst-port=53 protocol=udp to-address=10.0.0.10

The firewall address list includes as a minimum the adguard LANIP 10.0.0.10./32.
It may include any other users or subnets you wish to exclude from adguard.

d. For subnets ensure you also put DNS server as 10.0.0.10
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=10.0.0.10 gateway=192.168.0.1
add address=192.168.2.0/24 dns-server=10.0.0.10 gateway=192.168.2.1
add address=192.168.30.0/24 dns-server=10.0.0.10 gateway=192.168.30.1
add address=10.0.0.0/24 dns-server=10.0.0.10 gateway=10.0.0.1

e. Dont forget the dst nat rule in forward chain rule.....

Default rule
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

Assuming you have done the VETH bit part correctly.
Lets look at the facts.

a. The Veth adguard still needs a DNS path to get to its cloud encrypted servers. In case there is any other requirement for DNS as well......

INPUT CHAIN - ensure in-interface-list=LAN has DNS access tcp/udp

Either as per default rules.
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else" *****

Or as per modified to drop all else.
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN src-address-list=Admin
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ {and NTP *** services if required etc}
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"

b. We still need to allow DNS Server and remote access for VETH adguard.
Server=8.8.8.8
Allow remote-requests=YES

c. The rest of the subnets including the users on the same subnet as potentially the veth should use adguard for DNS.

add chain=dst-nat in-interface-list=LAN src-address-list=!excluded dst-port=53 protocol=tcp to-address=10.0.0.10
add chain=dst-nat in-interface-list=LAN src-address-list=!excluded dst-port=53 protocol=udp to-address=10.0.0.10

The firewall address list includes as a minimum the adguard LANIP 10.0.0.10./32.
It may include any other users or subnets you wish to exclude from adguard.

d. For subnets ensure you also put DNS server as 10.0.0.10
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=10.0.0.10 gateway=192.168.0.1
add address=192.168.2.0/24 dns-server=10.0.0.10 gateway=192.168.2.1
add address=192.168.30.0/24 dns-server=10.0.0.10 gateway=192.168.30.1
add address=10.0.0.0/24 dns-server=10.0.0.10 gateway=10.0.0.1

e. Dont forget the dst nat rule in forward chain rule.....

Default rule
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

Hello

Thanks for your suggestions

I applied the changes you indicated and it still does not work on the computer where I place static DNS, but the other computers that have the DNS AdGuard work fine.

I am still testing to see if I can get a solution if possible.

Thanks

This will work on all devices using static DNS on their pC etc.......
It will NOT work if you use some sort of proxy or vpn bypass ( perhaps your browser has one built-in??). The ability to force users is predicated on the off chance they put in something NOT sophisticated such as just putting in 8.8.8.8 in their DNS setting on PC. If they run something else ( more powerful ) , regardless of what you do, they will bypass adguard.

This will work on all devices using static DNS on their pC etc.......
It will NOT work if you use some sort of proxy or vpn bypass ( perhaps your browser has one built-in??). The ability to force users is predicated on the off chance they put in something NOT sophisticated such as just putting in 8.8.8.8 in their DNS setting on PC. If they run something else ( more powerful ) , regardless of what you do, they will bypass adguard.

Hello,

Thank you very much dear anav for the guidance and help to resolve this issue.

After reviewing my router's configuration, I was able to solve the problem by testing in GNS3 by adding a single rule to accept UDP traffic on port 53 before the 2 routing rules to ISP1 and ISP2.

/ip firewall mangle
add action=accept chain=prerouting comment="ACCEPT DNS TRAFFIC" dst-port=53 in-interface-list=!WAN protocol=udp

With that rule everything was perfect. Anyway I don't know if it is the best practice to solve this problem

I apologize for my English as it is not my native language.

Thank you very much

Probably all you needed was to ensure LAN access to the router DNS services in the input chain rules but to hard to look at your mess of rules LOL. Best if you at least organized the input chain together and the forward chain together.

Hello,
I have same issue, read all post and nothing works for me. Could you please help me??

This will work on all devices using static DNS on their pC etc.......
It will NOT work if you use some sort of proxy or vpn bypass ( perhaps your browser has one built-in??). The ability to force users is predicated on the off chance they put in something NOT sophisticated such as just putting in 8.8.8.8 in their DNS setting on PC. If they run something else ( more powerful ) , regardless of what you do, they will bypass adguard.

Hello,

Thank you very much dear anav for the guidance and help to resolve this issue.

After reviewing my router's configuration, I was able to solve the problem by testing in GNS3 by adding a single rule to accept UDP traffic on port 53 before the 2 routing rules to ISP1 and ISP2.

/ip firewall mangle
add action=accept chain=prerouting comment="ACCEPT DNS TRAFFIC" dst-port=53 in-interface-list=!WAN protocol=udp

With that rule everything was perfect. Anyway I don't know if it is the best practice to solve this problem

I apologize for my English as it is not my native language.

Thank you very much

can you please share your last config on ip-firewall-nat and -mangle again ?
i am confused too because i still expericing the same issue when i set dns staticaly on any device to other than adguard home ip, it wont redirect to adguard home as dns server, it uses those static dns.

thanks before

I would have to look at the config to assess but
the only thing missing from the initial discussion is a forward chain rule allowing all vlans permisssion to reach the adguard Ip address ( destination address ).
So that if sent there by other means, it will be allowed.

I dont see the need to mangle??