- Manual:IP/DNS
- Contents
- Specifications
- Description
- DNS Cache Setup
- Properties
- Example
- Cache Monitoring
- Description
- Property Description
- All DNS Entries
- Description
- Property Description
- Static DNS Entries
- Description
- Property Description
- Notes
- Flushing DNS cache
- Command Description
- Example
- DNS over HTTPS
- Example
- See Also
- DNS over HTTPS (DoH)
- MikroTik основы настройки DNS
Manual:IP/DNS
DNS cache is used to minimize DNS requests to an external DNS server as well as to minimize DNS resolution time. This is a simple DNS cache with local items.
Contents
- 1 Specifications
- 2 Description
- 3 DNS Cache Setup
- 3.1 Properties
- 3.2 Example
- 4.1 Description
- 4.2 Property Description
- 5.1 Description
- 5.2 Property Description
- 6.1 Description
- 6.2 Property Description
- 6.3 Notes
- 7.1 Command Description
- 7.2 Example
- 8.1 Example
Specifications
- Packages required: system
- License required: Level1
- Submenu level: /ip dns
- Standards and Technologies: DNS
- Hardware usage: Not significant
Description
A MikroTik router with DNS feature enabled can be set as a DNS server for any DNS-compliant client. Moreover, MikroTik router can be specified as a primary DNS server under its dhcp-server settings. When the remote requests are enabled, the MikroTik router responds to TCP and UDP DNS requests on port 53.
DNS Cache Setup
DNS facility is used to provide domain name resolution for router itself as well as for the clients connected to it.
Properties
Property Description allow-remote-requests (yes | no; Default: no) Specifies whether to allow network requests cache-max-ttl (time; Default: 1w) Maximum time-to-live for cache records. In other words, cache records will expire unconditionally after cache-max-ttl time. Shorter TTL received from DNS servers are respected. cache-size (integer[64..4294967295]; Default: 2048) Specifies the size of DNS cache in KiB max-concurrent-queries (integer; Default: 100) Specifies how much concurrent queries are allowed max-concurrent-tcp-sessions (integer; Default: 20) Specifies how much concurrent TCP sessions are allowed max-udp-packet-size (integer [50..65507]; Default: 4096) Maximum size of allowed UDP packet. query-server-timeout (time; Default: 2s) Specifies how long to wait for query response from one server query-total-timeout (time; Default: 10s) Specifies how long to wait for query response in total. Note that this setting must be configured taking into account query-server-timeout and number of used DNS server. servers (list of IPv4/IPv6 addresses; Default: ) List of DNS server IPv4/IPv6 addresses Property Description cache-used (integer) Shows the currently used cache size in KiB dynamic-server (IPv4/IPv6 list) List of dynamically added DNS server from different services, for example, DHCP. When both static and dynamic servers are set, static server entries are more preferred, however it does not indicate that static server will always be used (for example, previously query was received from dynamic server, but static was added later, then dynamic entry will be preferred).
Note: If allow-remote-requests is used make sure that you limit access to your server over TCP and UDP protocol.
Example
To set 159.148.60.2 as the primary DNS server and allow the router to be used as a DNS server, do the following:
[admin@MikroTik] ip dns> set servers=159.148.60.2 \ \. allow-remote-requests=yes [admin@MikroTik] ip dns> print servers: 159.148.60.2 allow-remote-requests: yes cache-size: 2048KiB cache-max-ttl: 1w cache-used: 7KiB [admin@MikroTik] ip dns>
Cache Monitoring
Description
This menu provides a list with all address (DNS type «A») records stored on the server
Property Description
Property Desciption address (read-only: IP address) IP address of the host name (read-only: name) DNS name of the host ttl (read-only: time) remaining time-to-live for the record All DNS Entries
Description
This menu provides a complete list with all DNS records stored on the server
Property Description
Property Desciption data (read-only: text) DNS data field. IP address for type «A» records. Other record types may have different contents of the data field (like hostname or arbitrary text) name (read-only: name) DNS name of the host ttl (read-only: time) remaining time-to-live for the record type (read-only: text) DNS record type Static DNS Entries
Description
The MikroTik RouterOS has an embedded DNS server feature in DNS cache. It allows you to link the particular domain names with the respective IP addresses and advertize these links to the DNS clients using the router as their DNS server. This feature can also be used to provide fake DNS information to your network clients. For example, resolving any DNS request for a certain set of domains (or for the whole Internet) to your own page.
The server is capable of resolving DNS requests based on POSIX basic regular expressions, so that multiple requets can be matched with the same entry. In case an entry does not conform with DNS naming standards, it is considered a regular expression and marked with ‘R’ flag. The list is ordered and is checked from top to bottom. Regular expressions are checked first, then the plain records.
Property Description
Property Desciption address (IP address) IP address to resolve domain name with name (text) DNS name to be resolved to a given IP address. regex (text) DNS regex ttl (time) time-to-live of the DNS record type (text) type of the DNS record. Available values are: A, AAAA, CNAME, FWD, MX, NS, NXDOMAIN, SRV, TXT Notes
Reverse DNS lookup (Address to Name) of the regular expression entries is not possible. You can, however, add an additional plain record with the same IP address and specify some name for it.
Remember that the meaning of a dot (.) in regular expressions is any character, so the expression should be escaped properly. For example, if you need to match anything within example.com domain but not all the domains that just end with example.com, like www.another-example.com, use regexp=».*\\.example\\.com\$»
Regular expression matching is significantly slower than of the plain entries, so it is advised to minimize the number of regular expression rules and optimize the expressions themselves. Example
To add a static DNS entry for www.example.com to be resolved to 10.0.0.1 IP address:
[admin@MikroTik] ip dns static> add name=www.example.com address=10.0.0.1 [admin@MikroTik] ip dns static> print Flags: D - dynamic, X - disabled, R - regexp # NAME ADDRESS TTL 0 www.example.com 10.0.0.1 1d [admin@MikroTik] ip dns static>
It is also possible to forward specific DNS requests to a different server using FWD type. This will fordward all subdomains of «example.com» to server 10.0.0.1:
[admin@MikroTik] ip dns static> add regexp=".*\\.example\\.com\$" forward-to=10.0.0.1
Note: regexp entries are case sensitive, but since DNS requests are not case sensitive, RouterOS converts DNS names to lowercase, you should write regex only with lowercase letters.
Flushing DNS cache
Command Description
Example
[admin@MikroTik] ip dns> cache flush [admin@MikroTik] ip dns> print servers: 159.148.60.2 allow-remote-requests: yes cache-size: 2048 KiB cache-max-ttl: 1w cache-used: 10 KiB [admin@MikroTik] ip dns>
DNS over HTTPS
Starting from RouterOS version v6.47 it is possible to use DNS over HTTPS (DoH). DoH uses HTTPS protocol to send and receive DNS requests for better data integrity. Its main goal is to provide privacy by eliminating the man in the middle attacks (MITM). Currently DoH is not compatible with FWD type static entries, in order to utilize FWD entries, DoH must not be configured.
Example
It is advised to import the root CA certificate of the DoH server you have chosen to use for increased security.
Warning: We strongly suggest not use third-party download links for certificate fetching. Use the Certificate Authority’s own website.
There are various ways to find out what root CA certificate is necessary. The easiest way is by using your WEB browser, navigating to the DoH site and checking the websites security. Using Firefox we can see that DigiCert Global Root CA is used by CloudFlare DoH server. You can download the certificate straight from the browser or navigate to DigiCert website and fetch the certificate from a trusted source.
Download the certificate and import it:
/tool fetch url="https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem" /certificate import file-name=DigiCertGlobalRootCA.crt.pem
/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
Note that you need at least one regular DNS server configured for the router to resolve the DoH hostname itself. If you do not have any dynamical or static DNS server configured, you can configure a static DNS entry like this:
/ip dns static add address=1.1.1.1 name=cloudflare-dns.com
Note: RouterOS prioritize DoH over DNS server if both are configured on the device.
See Also
DNS over HTTPS (DoH)
Starting from RouterOS version v6.47 it is possible to use DNS over HTTPS (DoH). DoH uses HTTPS protocol to send and receive DNS requests for better data integrity. The main goal is to provide privacy by eliminating «man-in-the-middle» attacks (MITM). Currently, DoH is not compatible with FWD-type static entries, in order to utilize FWD entries, DoH must not be configured.
It is strongly recommended to import the root CA certificate of the DoH server you have chosen to use for increased security. We strongly suggest not using third-party download links for certificate fetching. Use the Certificate Authority’s own website.
There are various ways to find out what root CA certificate is necessary. The easiest way is by using your WEB browser, navigating to the DoH site, and checking the security of the website. Using, for example, Firefox we can see that DigiCert Global Root CA is used by the Cloudflare DoH server. You can download the certificate straight from the browser or navigate to the DigiCert website and fetch the certificate from a trusted source.
Download the certificate, upload it to your router and import it:
/certificate import file-name=DigiCertGlobalRootCA.crt.pem
/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
Note that you need at least one regular DNS server configured for the router to resolve the DoH hostname itself. If you do not have any dynamical or static DNS server configured, add a static DNS entry for the DoH server domain name like this:
RouterOS prioritizes DoH over the DNS server if both are configured on the device.
MikroTik основы настройки DNS
Если в магазине вас угораздило купить роутер MikroTik себе домой и вы не знаете зачем он вам, а отравление DNS кэша вашим провайдером не дает вам спать по ночам, то этот пост для вас.
Можно не мучаться и поставить DNS от Yandex, Google, Adquard и прочее, а можно пойти более сложным путем:
Открываем сайт https://root-servers.org и ищем свой город, смотрим какие там есть корневые сервера DNS
Если их несколько, выбираем какой больше нравится вам 🙂
Далее находим официальный сайт данной компании, в моем случае это https://www.verisign.com и на сайте ищем раздел с публичным DNS.
В данном случае нас перенаправляют на сайт https://www.publicdns.neustar, идем туда и копируем адреса в блокнот 🙂
Открываем WinBox или через http, кому как больше нравится.
1. Первым делом удаляем автополучение DNS провайдера:
открываем настройки интерфейса и убираем галочку «use peer dns»
2. В настройке DNS (IP -> DNS), вводим IP DNS сервера (начиная с сервера который у вас в городе). Размер кэша укажите сколько не жалко (учитывайте свободное место).
На этом можно было бы закончить, но мы пойдем далее.
Помимо
белыхофициальных DNS резолверов есть еще итемная сторонаальтернативные корневые серверы DNS, например, выберем OpenNIC (остальные добавляются подобным образом). Нас интересуют поддерживаемые домены https://www.opennic.org:Далее открываем терминал и добавляем статические маршруты
/ip dns static add comment=»OpenNIC» forward-to=185.121.177.177,169.239.202.202,2a05:dfc7:5::53::1,2a05:dfc7:5::5353::1 regexp=».*(\\.bbs|\\.chan|\\.cyb|\\.dyn|\\.geek|\\.gopher|\\.indy|\\.libre|\\.neo|\\.null|\\.o)\$» type=FWD
/ip dns static add comment=»OpenNIC» forward-to=185.121.177.177,169.239.202.202,2a05:dfc7:5::53::1,2a05:dfc7:5::5353::1 regexp=».*(\\.oss|\\.oz|\\.parody|\\.pirate|\\.opennic.glue|\\.dns\\.opennic\\.glue)\$» type=FWD
В настройках DNS делаем очистку кэша.
Если пользуетесь Microsoft Edge, отключаем «улучшайзеры», в других браузерах аналогично.
Ребутим все что можно отребутить 🙂
Что мне это дало? Нормально заработали уведомления от mihome, перестали «тупить» китайские лампочки. Ну и немного ощущаешь себя
кулхацкеромчуть более независимым от своего провайдера.upd: корневой сервер DNS (в городе) не является публичным резолвером и не отвечает на запросы, нужно вводить ip публичного резолвера данного корневого сервера DNS.