Conditional DNS forwarding with MikroTik

In this article I will show you how to forward DNS traffic conditionally to a different DNS server.

In OpenWRT(a Linux based router os) you can use dnsmasq to forward the DNS requests to a different server based on the domain. This is an important feature if you use a VPN tunnel in split mode to connect a remote office to the main infrastructure of your company and want to use the local DNS server provided by your ISP but redirect all requests for internal domains to your core infrastructure. But sadly at the time of writing there is no simple way to achieve this functionality with MikroTiks build in DNS server.

But instead of the provided DNS server you can use the firewall to achieve the goal.

First of all define a Layer 7 rule to detect the DNS request that contain an internal domain or IP address. In the next step define two rules to mark all connections to the DNS server of our MikroTik router. Then create a new NAT rule and redirect all packets from a marked connection to the DNS server in the core infrastructure. The last rule is only needed if the clients at remote office are not allowed to query the main DNS server. So all packages are rewritten to use the local IP address of the VPN connection.

/ip firewall layer7-protocol
add name="Remote DNS" regexp="company.example.org|[0-9]+.[0-9]+.0.10.in-addr.arpa"
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-type=local dst-port=53 layer7-protocol="Remote DNS" new-connection-mark=remote-dns protocol=tcp
add action=mark-connection chain=prerouting dst-address-type=local dst-port=53 layer7-protocol="Remote DNS" new-connection-mark=remote-dns protocol=udp
/ip firewall nat
add action=dst-nat chain=dstnat comment="DNAT to Remote DNS" connection-mark=remote-dns to-addresses=10.0.1.1
add action=masquerade chain=srcnat comment="SNAT to Remote DNS" connection-mark=remote-dns

Conclusion

I don't like the provided solution because it is possible for an attacker to send mellisous requests and they are forwarded to my main DNS server. But at the time of writing this is the only way to forward DNS requests conditionally with a MikroTik router. There are rumors in the MikroTik form that conditional DNS forwarding might be a new feature in Router OS v7 witch should be published this year regarding to the announcements at the European MUM in Berlin this year.

Links

Related articles