You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Introduction

Domain Name System (DNS) usually refers to the Phonebook of the Internet. In other words, DNS is a database that links strings (known as hostnames), such as www.mikrotik.com to a specific IP address, such as 159.148.147.196.

A MikroTik router with DNS feature enabled can be set as a DNS server for any DNS-compliant client. Moreover, the MikroTik router can be specified as a primary DNS server under its DHCP server settings. When the remote requests are enabled, the MikroTik router responds to TCP and UDP DNS requests on port 53.

When both static and dynamic servers are set, static server entries are more preferred, however, it does not indicate that static server will always be used (for example, previously query was received from a dynamic server, but static was added later, then a dynamic entry will be preferred).

When DNS server allow-remote-requests are used make sure that you limit access to your server over TCP and UDP protocol port 53.

Let`s take as an example the following setup: Internet service provider (ISP) → Gateway (GW) → Local area network (LAN). The GW is RouterOS based device with the default configuration:

  • You do not configure any DNS servers on the "GW" DHCP server network configuration- the device will forward DNS server received from `ISP` to `LAN` devices;
  • You configure DNS servers on the "GW" DHCP server network configuration- the device will give configured DNS servers to `LAN` devices ( also /ip dns set allow-remote-requests=yes should be enabled);
  • "dns-none" configured under DNS servers on "GW" DHCP server network configuration - the device will not forward any of the dynamic DNS servers to `LAN` devices;

DNS Cache

This menu provides two lists with DNS records stored on the server:

  • /ip dns cache print : this menu provides a list with all address (DNS type "A") records stored on the server ;
  • /ip dns cache all print : This menu provides a complete list with all DNS records stored on the server;
[admin@MikroTik] >  ip dns cache print
Flags: S - static 
 #   NAME                             ADDRESS                                   TTL         
 0   ns3.google.com                   216.239.36.10                             3d9h37m7s   
 1   ns4.google.com                   216.239.38.10                             3d9h37m7s   
 2   ns1.google.com                   216.239.32.10                             3d9h37m7s   
 3   ns2.google.com                   216.239.34.10                             3d9h37m7s   
 4   youtube-ui.l.google.com          172.217.22.174                            36s         
 5   youtube-ui.l.google.com          172.217.20.46                             36s

Empty a DNS cache you can with the command: /ip dns cache flush

DNS Static

The MikroTik RouterOS has an embedded DNS server feature in the DNS cache. It allows you to link the particular domain names with the respective IP addresses and advertize these links to the DNS clients using the router as their DNS server. This feature can also be used to provide fake DNS information to your network clients. For example, resolving any DNS request for a certain set of domains (or for the whole Internet) to your own page.

The server is capable of resolving DNS requests based on POSIX basic regular expressions so that multiple requests can be matched with the same entry. In case an entry does not conform with DNS naming standards, it is considered a regular expression and marked with an ‘R’ flag. The list is ordered and is checked from top to bottom. Regular expressions are checked first, then the plain records.

[admin@MikroTik] ip dns static> add name=www.example.com address=10.0.0.1
[admin@MikroTik] ip dns static> print
Flags: D - dynamic, X - disabled, R - regexp
 #     NAME               ADDRESS                                 TTL
 0     www.example.com    10.0.0.1                                1d
[admin@MikroTik] ip dns static>

Use regex to match DNS requests:

[admin@MikroTik] ip dns static> add regexp="[*example*]" address=10.0.0.2

Regexp is case sensitive, but DNS requests are not case sensitive, RouterOS converts DNS names to lowercase, you should write regex only with lowercase letters. Regular expression matching is significantly slower than of the plain entries, so it is advised to minimize the number of regular expression rules and optimize the expressions themselves.

Quick Example

[admin@MikroTik] > ip dns print
                      servers: 
              dynamic-servers: 10.1.3.5,159.148.147.194
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1w
                   cache-used: 21KiB

Dynamic DNS servers are obtained from the DHCP server with the DHCP client configuration. Let`s assume we don't want to use both dynamic servers, but only one of them:

[admin@MikroTik] > ip dhcp-client set 0 use-peer-dns=no
[admin@MikroTik] > ip dns set servers=10.1.3.5     
[admin@MikroTik] > ip dns print                     
                      servers: 10.1.3.5
              dynamic-servers: 
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1w
                   cache-used: 21KiB

DNS over HTTPS (DoH)

Starting from RouterOS version v6.47 it is possible to use DNS over HTTPS (DoH). DoH uses HTTPS protocol to send and receive DNS requests for better data integrity. Its main goal is to provide privacy by eliminating the man-in-the-middle attacks (MITM). Currently, DoH is not compatible with FWD-type static entries, in order to utilize FWD entries, DoH must not be configured. 

It is advised to import the root CA certificate of the DoH server you have chosen to use for increased security. We strongly suggest not use third-party download links for certificate fetching. Use the Certificate Authority's own website.

There are various ways to find out what root CA certificate is necessary. The easiest way is by using your WEB browser, navigating to the DoH site, and checking the security of the website. Using Firefox we can see that DigiCert Global Root CA is used by the Cloudflare DoH server. You can download the certificate straight from the browser or navigate to the DigiCert website and fetch the certificate from a trusted source. 

Download the certificate and import it: 

/tool fetch url="https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem"
/certificate import file-name=DigiCertGlobalRootCA.crt.pem

Configure the DoH server: 

/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes

Note that you need at least one regular DNS server configured for the router to resolve the DoH hostname itself. If you do not have any dynamical or static DNS server configured, configure it like this: 

/ip dns set servers=1.1.1.1
  • No labels