MikroTik

Posted: **Wed Feb 28, 2024 2:51 pm**

Hello,
I'm configuring a NAT rule to redirect all the DNS traffic bypassing the Mikrotik gateway to the Mikrotik CHR itself:

 3    chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=53 
      protocol=udp src-address=!192.168.1.1 dst-address=!192.168.1.1 
      dst-port=53 log=yes log-prefix="" 

 4    chain=srcnat action=masquerade protocol=udp src-address=!192.168.1.1 
      dst-address=192.168.1.1 src-address-list=allowed_to_router dst-port=53 
      log=yes log-prefix=""

Checking for previous guides/posts, I configured the rules above. My understanding is that rule 3 is redirecting all the traffic not directed to 192.168.1.1 (DNS provided by DHCP) on port 53 to 192.168.1.1 port 53. Is this correct?
Performing several dig tests, it seems to be working, but I don't understand the meaning of rule 4 with srcnat masquerate. I see no hits for rule 4, while rule 3 is increasing while I dig towards an external DNS server.
What am I missing?
Thank you!

Posted: **Wed Feb 28, 2024 5:20 pm**

That Rule 4 would only be needed if you were redirecting to another device in your network such as a pi-hole or similar.

Posted: **Wed Feb 28, 2024 5:55 pm**

That Rule 4 would only be needed if you were redirecting to another device in your network such as a pi-hole or similar.

Thank you, for my understanding, if I had a different DNS server: it would not work by editing rule 3 and to-address IP only? Without masquerading, the DNS to device reply would be broken?

Posted: **Wed Feb 28, 2024 7:08 pm**

If the DNS server is in the same IP scope, it would be broken without the masquerade rule. This is the same issue as Hairpin NAT.

If you use an IP outside of your LAN IP scope, there is no need for the rule as the packets would return to the router already.

MikroTik

DNS Redirect Sanity Check

DNS Redirect Sanity Check

Re: DNS Redirect Sanity Check

Re: DNS Redirect Sanity Check

Re: DNS Redirect Sanity Check [SOLVED]