MikroTik Conditional DNS Forwarding
(with online code generator)

If you use a MikroTik router with a site to site vpn, you must have come across the issue of conditional DNS forwarding. There is a DNS server, which automatically resolves names for sites at the other end of the tunnel. However if you request a DNS record for the domain at the other end, the MikroTik router will try to resolve it via it own DNS server, which obviously does not have the required information.

You always have the option to create the entries manually in your hosts file, or add manual entries to your DNS server, however if the number of sites is substantial, this can be a real pain, not to mention the fact that your entries wont be updated in case the DNS records on the server are changed.

Oddly MikroTik does not have a straightforward option for conditional DNS forwarding, or the forwarding of DNS requests for a specific domain, to a specific server, however with a bit of command line magic, this can be easily achieved.

I will not go into the merits of what each command does what. It is beyond the scope of this post. The commands use the layer 7 or application layer of the IP protocol, and you are welcome to look up the commands to see what exactly is going on.

Before we start, you will need the following information :-

  1. The LAN IP Address of your MikroTik router (192.168.0.1 in this example)
  2. The IP Address of the Intranet DNS Sever (10.0.0.4 in this example)
  3. The domain suffix of your intranet (yourworkplace.com in this example)
  4. Telnet access to the MikroTik router

Let’s get on with it (The “Hard” way).

 1. Open a text editor window on your pc, and paste the following commands :-

/ip firewall layer7-protocol add name=yourworkplace.com regexp=yourworkplace.com

/ip firewall mangle add chain=prerouting dst-address=192.168.0.1 layer7-protocol=yourworkplace.com action=mark-connection new-connection-mark=yourworkplace.com-forward protocol=tcp dst-port=53

/ip firewall mangle add chain=prerouting dst-address=192.168.0.1 layer7-protocol=yourworkplace.com action=mark-connection new-connection-mark=yourworkplace.com-forward protocol=udp dst-port=53

/ip firewall nat add action=dst-nat chain=dstnat connection-mark=yourworkplace.com-forward to-addresses=10.0.0.4

/ip firewall nat add action=masquerade chain=srcnat connection-mark=yourworkplace.com-forward

2. Change the RED, BLUE and GREEN sections according to your settings in the text editor where you just pasted the above commands.

3. Open a telnet session to your MikroTik router, and paste the edited contents of your text editor

4. Close the telnet session and reboot your router for good measure.

Simplifying it even further (The “Easy” Way)

In order to save you the hassle of replacing the fields in your text editor, and possibly missing out something, I have created the script below which will create the necessary commands for you based on your setup.

Simply insert your MikroTik LAN IP address, the IP of your remote DNS server, and the domain suffix for which you want the DNS queries forwarded in the appropriate fields. Hit the generate button, and then then simply copy the generated instructions and paste them in a telnet session to your MikroTik.




 
Generated Code :

/ip firewall layer7-protocol add name=yourworkplace.com regexp=yourworkplace.com
/ip firewall mangle add chain=prerouting dst-address=192.168.0.1 layer7-protocol=yourworkplace.com action=mark-connection new-connection-mark=yourworkplace.com-forward protocol=tcp dst-port=53
/ip firewall mangle add chain=prerouting dst-address=192.168.0.1 layer7-protocol=yourworkplace.com action=mark-connection new-connection-mark=yourworkplace.com-forward protocol=udp dst-port=53
/ip firewall nat add action=dst-nat chain=dstnat connection-mark=yourworkplace.com-forward to-addresses=10.0.0.4
/ip firewall nat add action=masquerade chain=srcnat connection-mark=yourworkplace.com-forward

 

Troubleshooting

Go ahead and check if you can reach the intranet sites on the other side of the VPN. If you cannot, make sure the vpn tunnel is up and running, and that the sites are actually reachable via their relative IP Addresses. Next step is to troubleshoot DNS resolution using commands like nslookup. First make sure that the DNS server on the other side of the tunnel is responding to NS requests, issuing the command :-

C:\>nslookup - 10.0.0.4  
Default Server : dns.yourworkplace.com
Address: 10.0.0.4

>

10.0.0.4 being the Name Server on the intranet side.

at the > prompt, type in the name of one of your intranet sites, and the name server should reply with its IP Address :-

Default Server : dns.yourworkplace.com
Address: 10.0.0.4

>site1.yourworkplace.com

Name: site1.yourworkplace.com
Address: 10.0.0.100

If the above works, it means that the tunnel is working, and you dns server is working, next issue the command :-

C:\>nslookup - 192.168.0.1  

192.168.0.1 being the LAN IP of the MikroTik.

 

Default Server : router
Address: 192.168.0.1

>site1.yourworkplace.com

Name: site1.yourworkplace.com
Address: 10.0.0.100

If the above fails to resolve, go back to the commands in your text editor, and check to make sure everything was entered correctly. Fix any mistakes, and give it another try.

Please leave a comment below, if you encounter any issues with the script or if you have any suggestions.
 

Leave a reply:

Your email address will not be published.