Главная » Роутеры

Настройка dns на роутере микротик

На чтение 11 мин Просмотров 1 Опубликовано
Содержание
  1. Manual:IP/DNS
  2. Contents
  3. Specifications
  4. Description
  5. DNS Cache Setup
  6. Properties
  7. Example
  8. Cache Monitoring
  9. Description
  10. Property Description
  11. All DNS Entries
  12. Description
  13. Property Description
  14. Static DNS Entries
  15. Description
  16. Property Description
  17. Notes
  18. Flushing DNS cache
  19. Command Description
  20. Example
  21. DNS over HTTPS
  22. Example
  23. See Also
  24. DNS over HTTPS (DoH)
  25. MikroTik основы настройки DNS

Manual:IP/DNS

DNS cache is used to minimize DNS requests to an external DNS server as well as to minimize DNS resolution time. This is a simple DNS cache with local items.

Contents

  • 1 Specifications
  • 2 Description
  • 3 DNS Cache Setup
    • 3.1 Properties
    • 3.2 Example
    • 4.1 Description
    • 4.2 Property Description
    • 5.1 Description
    • 5.2 Property Description
    • 6.1 Description
    • 6.2 Property Description
    • 6.3 Notes
    • 7.1 Command Description
    • 7.2 Example
    • 8.1 Example

    Specifications

    • Packages required: system
    • License required: Level1
    • Submenu level: /ip dns
    • Standards and Technologies: DNS
    • Hardware usage: Not significant

    Description

    A MikroTik router with DNS feature enabled can be set as a DNS server for any DNS-compliant client. Moreover, MikroTik router can be specified as a primary DNS server under its dhcp-server settings. When the remote requests are enabled, the MikroTik router responds to TCP and UDP DNS requests on port 53.

    DNS Cache Setup

    DNS facility is used to provide domain name resolution for router itself as well as for the clients connected to it.

    Properties

    Property Description
    allow-remote-requests (yes | no; Default: no) Specifies whether to allow network requests
    cache-max-ttl (time; Default: 1w) Maximum time-to-live for cache records. In other words, cache records will expire unconditionally after cache-max-ttl time. Shorter TTL received from DNS servers are respected.
    cache-size (integer[64..4294967295]; Default: 2048) Specifies the size of DNS cache in KiB
    max-concurrent-queries (integer; Default: 100) Specifies how much concurrent queries are allowed
    max-concurrent-tcp-sessions (integer; Default: 20) Specifies how much concurrent TCP sessions are allowed
    max-udp-packet-size (integer [50..65507]; Default: 4096) Maximum size of allowed UDP packet.
    query-server-timeout (time; Default: 2s) Specifies how long to wait for query response from one server
    query-total-timeout (time; Default: 10s) Specifies how long to wait for query response in total. Note that this setting must be configured taking into account query-server-timeout and number of used DNS server.
    servers (list of IPv4/IPv6 addresses; Default: ) List of DNS server IPv4/IPv6 addresses
    Property Description
    cache-used (integer) Shows the currently used cache size in KiB
    dynamic-server (IPv4/IPv6 list) List of dynamically added DNS server from different services, for example, DHCP.

    When both static and dynamic servers are set, static server entries are more preferred, however it does not indicate that static server will always be used (for example, previously query was received from dynamic server, but static was added later, then dynamic entry will be preferred).

    Note: If allow-remote-requests is used make sure that you limit access to your server over TCP and UDP protocol.

    Example

    To set 159.148.60.2 as the primary DNS server and allow the router to be used as a DNS server, do the following:

    [admin@MikroTik] ip dns> set servers=159.148.60.2 \ \. allow-remote-requests=yes [admin@MikroTik] ip dns> print servers: 159.148.60.2 allow-remote-requests: yes cache-size: 2048KiB cache-max-ttl: 1w cache-used: 7KiB [admin@MikroTik] ip dns>

    Cache Monitoring

    Description

    This menu provides a list with all address (DNS type «A») records stored on the server

    Property Description

    Property Desciption
    address (read-only: IP address) IP address of the host
    name (read-only: name) DNS name of the host
    ttl (read-only: time) remaining time-to-live for the record

    All DNS Entries

    Description

    This menu provides a complete list with all DNS records stored on the server

    Property Description

    Property Desciption
    data (read-only: text) DNS data field. IP address for type «A» records. Other record types may have different contents of the data field (like hostname or arbitrary text)
    name (read-only: name) DNS name of the host
    ttl (read-only: time) remaining time-to-live for the record
    type (read-only: text) DNS record type

    Static DNS Entries

    Description

    The MikroTik RouterOS has an embedded DNS server feature in DNS cache. It allows you to link the particular domain names with the respective IP addresses and advertize these links to the DNS clients using the router as their DNS server. This feature can also be used to provide fake DNS information to your network clients. For example, resolving any DNS request for a certain set of domains (or for the whole Internet) to your own page.

    The server is capable of resolving DNS requests based on POSIX basic regular expressions, so that multiple requets can be matched with the same entry. In case an entry does not conform with DNS naming standards, it is considered a regular expression and marked with ‘R’ flag. The list is ordered and is checked from top to bottom. Regular expressions are checked first, then the plain records.

    Property Description

    Property Desciption
    address (IP address) IP address to resolve domain name with
    name (text) DNS name to be resolved to a given IP address.
    regex (text) DNS regex
    ttl (time) time-to-live of the DNS record
    type (text) type of the DNS record. Available values are: A, AAAA, CNAME, FWD, MX, NS, NXDOMAIN, SRV, TXT

    Notes

    Reverse DNS lookup (Address to Name) of the regular expression entries is not possible. You can, however, add an additional plain record with the same IP address and specify some name for it.

    Remember that the meaning of a dot (.) in regular expressions is any character, so the expression should be escaped properly. For example, if you need to match anything within example.com domain but not all the domains that just end with example.com, like www.another-example.com, use regexp=».*\\.example\\.com\$»

    Regular expression matching is significantly slower than of the plain entries, so it is advised to minimize the number of regular expression rules and optimize the expressions themselves. Example

    To add a static DNS entry for www.example.com to be resolved to 10.0.0.1 IP address:

    [admin@MikroTik] ip dns static> add name=www.example.com address=10.0.0.1 [admin@MikroTik] ip dns static> print Flags: D - dynamic, X - disabled, R - regexp # NAME ADDRESS TTL 0 www.example.com 10.0.0.1 1d [admin@MikroTik] ip dns static>

    It is also possible to forward specific DNS requests to a different server using FWD type. This will fordward all subdomains of «example.com» to server 10.0.0.1:

    [admin@MikroTik] ip dns static> add regexp=".*\\.example\\.com\$" forward-to=10.0.0.1

    Note: regexp entries are case sensitive, but since DNS requests are not case sensitive, RouterOS converts DNS names to lowercase, you should write regex only with lowercase letters.

    Flushing DNS cache

    Command Description

    Example

    [admin@MikroTik] ip dns> cache flush [admin@MikroTik] ip dns> print servers: 159.148.60.2 allow-remote-requests: yes cache-size: 2048 KiB cache-max-ttl: 1w cache-used: 10 KiB [admin@MikroTik] ip dns>

    DNS over HTTPS

    Starting from RouterOS version v6.47 it is possible to use DNS over HTTPS (DoH). DoH uses HTTPS protocol to send and receive DNS requests for better data integrity. Its main goal is to provide privacy by eliminating the man in the middle attacks (MITM). Currently DoH is not compatible with FWD type static entries, in order to utilize FWD entries, DoH must not be configured.

    Example

    It is advised to import the root CA certificate of the DoH server you have chosen to use for increased security.

    Warning: We strongly suggest not use third-party download links for certificate fetching. Use the Certificate Authority’s own website.

    There are various ways to find out what root CA certificate is necessary. The easiest way is by using your WEB browser, navigating to the DoH site and checking the websites security. Using Firefox we can see that DigiCert Global Root CA is used by CloudFlare DoH server. You can download the certificate straight from the browser or navigate to DigiCert website and fetch the certificate from a trusted source.

    Rootca.PNG

    Download the certificate and import it:

    /tool fetch url="https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem" /certificate import file-name=DigiCertGlobalRootCA.crt.pem
    /ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes

    Note that you need at least one regular DNS server configured for the router to resolve the DoH hostname itself. If you do not have any dynamical or static DNS server configured, you can configure a static DNS entry like this:

    /ip dns static add address=1.1.1.1 name=cloudflare-dns.com

    Note: RouterOS prioritize DoH over DNS server if both are configured on the device.

    See Also

    Источник

    DNS over HTTPS (DoH)

    Starting from RouterOS version v6.47 it is possible to use DNS over HTTPS (DoH). DoH uses HTTPS protocol to send and receive DNS requests for better data integrity. The main goal is to provide privacy by eliminating «man-in-the-middle» attacks (MITM). Currently, DoH is not compatible with FWD-type static entries, in order to utilize FWD entries, DoH must not be configured.

    It is strongly recommended to import the root CA certificate of the DoH server you have chosen to use for increased security. We strongly suggest not using third-party download links for certificate fetching. Use the Certificate Authority’s own website.

    There are various ways to find out what root CA certificate is necessary. The easiest way is by using your WEB browser, navigating to the DoH site, and checking the security of the website. Using, for example, Firefox we can see that DigiCert Global Root CA is used by the Cloudflare DoH server. You can download the certificate straight from the browser or navigate to the DigiCert website and fetch the certificate from a trusted source.

    Download the certificate, upload it to your router and import it:

    /certificate import file-name=DigiCertGlobalRootCA.crt.pem
    /ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes

    Note that you need at least one regular DNS server configured for the router to resolve the DoH hostname itself. If you do not have any dynamical or static DNS server configured, add a static DNS entry for the DoH server domain name like this:

    RouterOS prioritizes DoH over the DNS server if both are configured on the device.

    Источник

    MikroTik основы настройки DNS

    Если в магазине вас угораздило купить роутер MikroTik себе домой и вы не знаете зачем он вам, а отравление DNS кэша вашим провайдером не дает вам спать по ночам, то этот пост для вас.

    Можно не мучаться и поставить DNS от Yandex, Google, Adquard и прочее, а можно пойти более сложным путем:

    Открываем сайт https://root-servers.org и ищем свой город, смотрим какие там есть корневые сервера DNS

    Если их несколько, выбираем какой больше нравится вам 🙂

    Далее находим официальный сайт данной компании, в моем случае это https://www.verisign.com и на сайте ищем раздел с публичным DNS.

    В данном случае нас перенаправляют на сайт https://www.publicdns.neustar, идем туда и копируем адреса в блокнот 🙂

    Открываем WinBox или через http, кому как больше нравится.

    1. Первым делом удаляем автополучение DNS провайдера:

    открываем настройки интерфейса и убираем галочку «use peer dns»

    2. В настройке DNS (IP -> DNS), вводим IP DNS сервера (начиная с сервера который у вас в городе). Размер кэша укажите сколько не жалко (учитывайте свободное место).

    На этом можно было бы закончить, но мы пойдем далее.

    Помимо белых официальных DNS резолверов есть еще и темная сторона альтернативные корневые серверы DNS, например, выберем OpenNIC (остальные добавляются подобным образом). Нас интересуют поддерживаемые домены https://www.opennic.org:

    Далее открываем терминал и добавляем статические маршруты

    /ip dns static add comment=»OpenNIC» forward-to=185.121.177.177,169.239.202.202,2a05:dfc7:5::53::1,2a05:dfc7:5::5353::1 regexp=».*(\\.bbs|\\.chan|\\.cyb|\\.dyn|\\.geek|\\.gopher|\\.indy|\\.libre|\\.neo|\\.null|\\.o)\$» type=FWD

    /ip dns static add comment=»OpenNIC» forward-to=185.121.177.177,169.239.202.202,2a05:dfc7:5::53::1,2a05:dfc7:5::5353::1 regexp=».*(\\.oss|\\.oz|\\.parody|\\.pirate|\\.opennic.glue|\\.dns\\.opennic\\.glue)\$» type=FWD

    В настройках DNS делаем очистку кэша.

    Если пользуетесь Microsoft Edge, отключаем «улучшайзеры», в других браузерах аналогично.

    Ребутим все что можно отребутить 🙂

    Что мне это дало? Нормально заработали уведомления от mihome, перестали «тупить» китайские лампочки. Ну и немного ощущаешь себя кулхацкером чуть более независимым от своего провайдера.

    upd: корневой сервер DNS (в городе) не является публичным резолвером и не отвечает на запросы, нужно вводить ip публичного резолвера данного корневого сервера DNS.

    Источник

    Читайте также:  Роутер tenda ac10u характеристики
Оцените статью
© 2023 Posetke
Adblock
detector