DNS Conditional forwarders with Mikrotik RouterOS

If you have been following some of my recent articles, you may have noticed that I am covering a few topics which are typical for joining multiple environments together.

One of these topics has been setting up DNS forwarding based on a per zone basis. This is a typical requirement for Active Directory Domain trusts and other related tasks.

This article will cover how to set up a DNS conditional forwarder on a RouterOS based device.

In this example, I will be using the below details

RouterOS Version:                  5.15
RouterOS IP Address:               10.0.0.254
Example.com DNS server IP Address: 10.0.1.11
Domain.com DNS server IP Address:  10.0.4.11

Run the following commands to add the conditional forwarder for the domain “example.com” and point it to the DNS server “10.0.1.11”

[admin@RouterOS] > /ip firewall layer7-protocol add name=example.com regexp=example.com
[admin@RouterOS] > /ip firewall mangle add chain=prerouting dst-address=10.0.0.254 layer7-protocol=example.com action=mark-connection new-connection-mark=example.com-forward protocol=tcp dst-port=53
[admin@RouterOS] > /ip firewall mangle add chain=prerouting dst-address=10.0.0.254 layer7-protocol=example.com action=mark-connection new-connection-mark=example.com-forward protocol=udp dst-port=53
[admin@RouterOS] > /ip firewall nat add action=dst-nat chain=dstnat connection-mark=example.com-forward to-addresses=10.0.1.11
[admin@RouterOS] > /ip firewall nat add action=masquerade chain=srcnat connection-mark=example.com-forward

 

Should you wish to run multiple conditional forwards, all you need to do is use the above 5 commands for your other domains.

See the below example for using the same commands on the domain “domain.com”. You will notice that all I have changed is the domain name and the forwarding IP address

[admin@RouterOS] > /ip firewall layer7-protocol add name=domain.com regexp=domain.com
[admin@RouterOS] > /ip firewall mangle add chain=prerouting dst-address=10.0.0.254 layer7-protocol=domain.com action=mark-connection new-connection-mark=domain.com-forward protocol=tcp dst-port=53
[admin@RouterOS] > /ip firewall mangle add chain=prerouting dst-address=10.0.0.254 layer7-protocol=domain.com action=mark-connection new-connection-mark=domain.com-forward protocol=udp dst-port=53
[admin@RouterOS] > /ip firewall nat add action=dst-nat chain=dstnat connection-mark=domain.com-forward to-addresses=10.0.4.11
[admin@RouterOS] > /ip firewall nat add action=masquerade chain=srcnat connection-mark=domain.com-forward

 

That’s it.

You should now be able to communicate with any hostname within each of those domains. You can use ping/telnet or any other method of your chosing to verify the settings.

I have simply pinged one of my Yubikey servers in the “example.com” domain.

[mac@localhost ~]$ ping ykval01.example.com
PING ykval01.example.com (10.0.1.31) 56(84) bytes of data.
64 bytes from 10.0.1.31: icmp_seq=1 ttl=63 time=4.53 ms
64 bytes from 10.0.1.31: icmp_seq=2 ttl=63 time=4.53 ms
64 bytes from 10.0.1.31: icmp_seq=3 ttl=63 time=4.33 ms
64 bytes from 10.0.1.31: icmp_seq=4 ttl=63 time=4.34 ms
^C
--- ykval01.example.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 4.332/4.436/4.538/0.129 ms
[mac@localhost ~]$

3 comments on “DNS Conditional forwarders with Mikrotik RouterOS

  1. kourosh kdt October 17, 2014 21:45

    dude , you are genius 😀 i will test it , thank you 😀 !!!

  2. Emre Sumengen June 21, 2015 05:21

    Hey there, thanks for a good write up. I’ve been using a similar setup to access my work network from home for a while and thanks to your post, I’ve been able to reduce the clutter.

    Do you have any ideas to enable multiple dns servers for a forwarded domain? (Eg. 10.0.4.11 AND 172.16.0.11 for domain.com?)

  3. Enrico August 2, 2016 09:15

    Very useful guide.
    How could be proceed in an analogous manner if we wanted also the mickrotik machine to do the same? I.e. instead of resolving all internal names to the given dns servers, distinguish the query as per the internal clients.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>