MikroTik

Posted: **Wed Dec 26, 2012 4:50 pm**

Using an RB2011UAS-2HnD-IN on 6.0rc6.

I want to have RouterOS as my DNS server so I can cache DNS responses for my clients from external DNS (8.8.8.8, 8.8.4.4, 4.2.2.2, etc). I also want to have static DNS entries for my local IP's (mydesktop.local -> 192.168.0.101, myserver.local -> 192.168.0.102, etc).

I've read through http://wiki.mikrotik.com/wiki/Manual:IP/DNS and I still need some help.

I didn't add any DNS parameters to my DHCP server:

[admin@MikroTik] /ip dhcp-server network> print
 # ADDRESS            GATEWAY         DNS-SERVER      WINS-SERVER     DOMAIN
 0 ;;; default configuration
   192.168.0.0/24     192.168.0.1                                     quicky2g.local

I turned off "USE-PEER-DNS" for my WAN interface in the DHCP client settings because I don't want to use Time Warner DNS servers.

Here are my DNS server settings:

[admin@MikroTik] /ip dns> print
                servers: 8.8.8.8,8.8.4.4,4.2.2.2
        dynamic-servers:
  allow-remote-requests: yes
    max-udp-packet-size: 4096
   query-server-timeout: 2s
    query-total-timeout: 10s
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 17KiB

All my clients get 8.8.8.8, 8.8.4.4, 4.2.2.2 as DNS server parameters through DHCP. What should I change to make the router the DNS server?

Posted: **Sun Dec 30, 2012 1:14 am**

set your router gateway as your dns server for your network.

ip dhcp-server network set dns-server=192.168.0.1 0

and force all dns trafic from your network to routerOS

/ip firewall nat
add action=redirect chain=dstnat comment="proxy dns" disabled=no dst-port=53 protocol=tcp to-ports=53
add action=redirect chain=dstnat disabled=no dst-port=53 protocol=udp to-ports=53

Posted: **Tue Jan 01, 2013 4:47 am**

It's still not working right...

[admin@MikroTik] > ip dhcp-server network print
 # ADDRESS            GATEWAY         DNS-SERVER      WINS-SERVER     DOMAIN
 0 ;;; default configuration
   192.168.0.0/24     192.168.0.1     192.168.0.1                     quicky2g.local

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; default configuration
     chain=srcnat action=masquerade out-interface=sfp1-gateway

 1   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1 - Time Warner

 2   ;;; inbound http
     chain=dstnat action=dst-nat to-addresses=192.168.0.106 protocol=tcp dst-address=MYWANIP dst-port=80

 3   ;;; inbound https
     chain=dstnat action=dst-nat to-addresses=192.168.0.106 protocol=tcp dst-address=MYWANIP dst-port=443

 4   chain=srcnat action=accept out-interface=ether1 - Time Warner

 5   ;;; hairpin http
     chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 dst-address=192.168.0.106
     out-interface=bridge-local dst-port=80

 6   ;;; hairpin https
     chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 dst-address=192.168.0.106
     out-interface=bridge-local dst-port=443

 7   ;;; proxy dns tcp
     chain=dstnat action=redirect to-ports=53 protocol=tcp dst-port=53

 8   ;;; proxy dns udp
     chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53

Renewed my IP address and got 192.168.0.1 as the DNS server. Tried an nslookup...

C:\>nslookup www.google.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.0.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

Tried setting my client statically to use 8.8.8.8 for the DNS server...

C:\>nslookup www.google.com
Server:  google dns 1
Address:  8.8.8.8

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** google dns 1 can't find www.google.com: Server failed

Had to remove #7 and #8 out of the NAT firewall rules and keep my laptop DNS server as 8.8.8.8 to post this response. Any more ideas? Thanks in advance.

Posted: **Fri Jan 04, 2013 8:42 pm**

I have mine setup like this and it works. I am not using the firewall rules to force all DNS traffic though.

About the only difference of note on mine is in
/ip dhcp-server network>

I list the router's IP as one DNS and then 8.8.8.8 as the second.

You do need to close and reopen your browser for the changes to take effect while you are testing I've noticed.

Posted: **Fri Jan 04, 2013 11:00 pm**

frego have you tried removing 8.8.8.8 from your DHCP server options as a DNS server? If you renew the DHCP lease on your client and only get your router as a DNS server, does DNS work for you?

Posted: **Fri Jan 04, 2013 11:19 pm**

I'm having the same issues with 6rc6 on a RB450G and a RB750. I can't get DNS redirecting to work. It worked fine on 5.20 but now isn't working. It's setup the same and even the same as this thread, but the clients won't resolve. Perhaps it's a bug in RC6?

Posted: **Fri Jan 04, 2013 11:57 pm**

I can't test at the moment, but will attempt late tonight if I can stay awake! But one thing I should ad, is I'm running 5.22 on power pc platform (RB 1200). And I have noticed it being flaky. DNS will randomly consume all the CPU and not respond. I do have about 14,000 static entries though. I'm setting aside about 256K of RAM for the DNS proxy. My DNS cache currently has about 31,000 entries.

Posted: **Sat Jan 05, 2013 12:03 am**

Because you are caching the responses, your clients won't suffer from bad performance even if your ISP's DNS isn't good. But I do recommend using your ISPs DNS server because most CDNs relies on the IP address that made the DNS request in order to route you to the closest edge server.

So using Google DNS or OpenDNS slows down your connection when fetching content from CDN (like YouTube, Facebook, Netflix, Steam etc.)

Posted: **Sat Jan 05, 2013 2:40 am**

While my ISP's DNS are definitely faster than others, I like using some DNS that give protection vs. phishing and such. Like Comodo or Norton's. -

Posted: **Mon Jan 07, 2013 4:16 am**

Because you are caching the responses, your clients won't suffer from bad performance even if your ISP's DNS isn't good. But I do recommend using your ISPs DNS server because most CDNs relies on the IP address that made the DNS request in order to route you to the closest edge server.

So using Google DNS or OpenDNS slows down your connection when fetching content from CDN (like YouTube, Facebook, Netflix, Steam etc.)

I don't understand your logic in using the ISP's DNS server...please explain more in detail.

In my experience, all ISP's cache DNS records from whatever DNS server they point to for the root of the record. Google DNS, OpenDNS and others would be doing the same. If the ISP DNS server is frequently unreliable (Like the Time Warner DNS server where I live), I'd think it's better to use Google DNS or OpenDNS since they are more reliable. My router (Ultimately my PC) will get some kind of response from Google DNS or OpenDNS rather than none at all. In my experience, I've seen the opposite of what you're recommending. When I use my ISP DNS, I often have performance issues because I'm not getting a DNS response at all.

I don't have a detailed understanding of CDN's, but if DNS is in the mix, I'd be interested in knowing more.

Posted: **Mon Jan 07, 2013 6:42 am**

frego have you tried removing 8.8.8.8 from your DHCP server options as a DNS server? If you renew the DHCP lease on your client and only get your router as a DNS server, does DNS work for you?

I removed the secondary DNS from my DHCP server options and it still works. Every hour on the hour, CPU pegs and for about a minute DNS fails... I'm trying to figure out what's going on there.... have a request in to support.

Posted: **Mon Jan 07, 2013 5:39 pm**

Are your DHCP leases expiring every hour for some reason? What's the lease time if you do "ip dhcp-server print"?

Posted: **Mon Jan 07, 2013 10:45 pm**

I got my issue resolved. It was a firewall rule. I've never had to change it before for whatever reason. I had to create a filter rule to allow input traffic on the WAN port and set the connection type to establish. The router could send out a DNS request, but it wasn't coming back through the firewall but yet any LAN devices traffic was going out and coming back in fine.

Posted: **Tue Jan 08, 2013 2:36 am**

Are your DHCP leases expiring every hour for some reason? What's the lease time if you do "ip dhcp-server print"?

Not to hijack your thread, but my dhcp leases are set to expire in 3 days. I suspect my issue is with it writing to flash as I can see DNS initially eating up CPU for a time and then directly after that finishes whatever it's doing, flash and unclassified eat up CPU then it's all done and goes back to operational. It is usually down for 40-70 seconds. I have no scheduled tasks running.

Posted: **Tue Jan 08, 2013 3:50 am**

I got my issue resolved. It was a firewall rule. I've never had to change it before for whatever reason. I had to create a filter rule to allow input traffic on the WAN port and set the connection type to establish. The router could send out a DNS request, but it wasn't coming back through the firewall but yet any LAN devices traffic was going out and coming back in fine.

THANK YOU! Your suggestion worked for me too. For anyone else having the same problem, I had to add number 1 below:

[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; default configuration
     chain=input action=accept protocol=icmp

 1   chain=input action=accept connection-state=established in-interface=ether1 - Time Warner

 2   chain=input action=log in-interface=ether1 - Time Warner log-prefix="FirewallHits"

 3   ;;; default configuration
     chain=input action=drop in-interface=ether1 - Time Warner

I was also able to add a static DNS entry with this:

[admin@MikroTik] > ip dns static add name=myserver address=192.168.0.102

I can view the DNS cache with this:

[admin@MikroTik] > ip dns cache print

Posted: **Wed Apr 12, 2017 6:15 am**

Because you are caching the responses, your clients won't suffer from bad performance even if your ISP's DNS isn't good. But I do recommend using your ISPs DNS server because most CDNs relies on the IP address that made the DNS request in order to route you to the closest edge server.

So using Google DNS or OpenDNS slows down your connection when fetching content from CDN (like YouTube, Facebook, Netflix, Steam etc.)
I don't understand your logic in using the ISP's DNS server...please explain more in detail.

In my experience, all ISP's cache DNS records from whatever DNS server they point to for the root of the record. Google DNS, OpenDNS and others would be doing the same. If the ISP DNS server is frequently unreliable (Like the Time Warner DNS server where I live), I'd think it's better to use Google DNS or OpenDNS since they are more reliable. My router (Ultimately my PC) will get some kind of response from Google DNS or OpenDNS rather than none at all. In my experience, I've seen the opposite of what you're recommending. When I use my ISP DNS, I often have performance issues because I'm not getting a DNS response at all.

I don't have a detailed understanding of CDN's, but if DNS is in the mix, I'd be interested in knowing more.

Also not to hijack (or necrobump) this thread, but since you asked a direct question...see the "Why to use it?" section down the page at http://aqualab.cs.northwestern.edu/projects/namehelp. Good description of the issue.

This was actually an issue we had when I managed my small business's network in Alaska. We used OpenDNS for their (rudimentary) content filtering functions, but since the closest OpenDNS server was in Seattle, we found that any CDN services we were resolving were coming back with Seattle endpoints instead of local ones hosted in Anchorage on our own ISP. As well, on a residential connection in Missouri I manage for some family, using Google DNS results in CDN content coming from Chicago instead of coming from a local Suddenlink server 10ms away.

Namehelp is a Linux daemon or Windows service that basically runs namebench in the background. It then directs normal DNS queries to whichever resolver is the fastest/most reliable, but then it also queries the root servers directly for results for known CDN domains. That way, the CDNs' DNS servers respond with the content server that is topologically closest to your exact connection rather than closest to whatever resolver you're using. Using Namehelp gives the benefit of using a faster, better resolver (ISP resolvers are often poorly managed) for standard use but still getting access to topologically-close CDN servers. I find that pinging and tracerouting to sites like http://www.akamai.com or http://www.google.com or Cachefly or llnw.net or whatever almost always results in a server between 5-10 hops and (connection quality depending) 5-20ms away, whereas using GoogleDNS/Open DNS/whatever can end up with content servers 15 hops and 40ms away.

If only I could run Namehelp on Mikrorik... Part of me is tempted to put a Raspberry Pi or something at each of my locations and run Namehelp on there, but I think that'd be overkill...

MikroTik

Use RouterOS as DNS server

Use RouterOS as DNS server

Re: Use RouterOS as DNS server

Re: Use RouterOS as DNS server

Re: Use RouterOS as DNS server

Re: Use RouterOS as DNS server

Re: Use RouterOS as DNS server

Re: Use RouterOS as DNS server

Re: Use RouterOS as DNS server

Re: Use RouterOS as DNS server

Re: Use RouterOS as DNS server

Re: Use RouterOS as DNS server

Re: Use RouterOS as DNS server

Re: Use RouterOS as DNS server

Re: Use RouterOS as DNS server

Re: Use RouterOS as DNS server

Re: Use RouterOS as DNS server