dale m acart ne y.

co m

https://www.dalemacartney.co m/2012/12/29/dns-co nditio nal-fo rwarders-with-mikro tik-ro utero s/

DNS Conditional forwarders with Mikrotik RouterOS

If you have been f ollowing some of my recent articles, you may have noticed that I am covering a f ew topics which are typical f or joining multiple environments together. One of these topics has been setting up DNS f orwarding based on a per zone basis. T his is a typical requirement f or Active Directory Domain trusts and other related tasks. T his article will cover how to set up a DNS conditional f orwarder on a RouterOS based device. In this example, I will be using the below details Rout erOS Version: 5.15 Rout erOS IP Address: 10.0.0.254 Example.com DNS server IP Address: 10.0.1.11 Domain.com DNS server IP Address: 10.0.4.11 Run the f ollowing commands to add the conditional f orwarder f or the domain example.com and point it to the DNS server 10.0.1.11 [admin@Rout erOS] > /ip rewall layer7-prot ocol add name=example.com regexp=example.com [admin@Rout erOS] > /ip rewall mangle add chain=prerout ing dst -address=10.0.0.254 layer7prot ocol=example.com act ion=mark-connect ion new-connect ion-mark=example.com-forward prot ocol=t cp dst -port =53 [admin@Rout erOS] > /ip rewall mangle add chain=prerout ing dst -address=10.0.0.254 layer7prot ocol=example.com act ion=mark-connect ion new-connect ion-mark=example.com-forward prot ocol=udp dst -port =53 [admin@Rout erOS] > /ip rewall nat add act ion=dst -nat chain=dst nat connect ionmark=example.com-forward t o-addresses=10.0.1.11 [admin@Rout erOS] > /ip rewall nat add act ion=masquerade chain=srcnat connect ionmark=example.com-forward

Should you wish to run multiple conditional f orwards, all you need to do is use the above 5 commands f or your other domains. See the below example f or using the same commands on the domain domain.com. You will notice that all I have changed is the domain name and the f orwarding IP address [admin@Rout erOS] > /ip rewall layer7-prot ocol add name=domain.com regexp=domain.com [admin@Rout erOS] > /ip rewall mangle add chain=prerout ing dst -address=10.0.0.254 layer7prot ocol=domain.com act ion=mark-connect ion new-connect ion-mark=domain.com-forward prot ocol=t cp dst -port =53 [admin@Rout erOS] > /ip rewall mangle add chain=prerout ing dst -address=10.0.0.254 layer7prot ocol=domain.com act ion=mark-connect ion new-connect ion-mark=domain.com-forward prot ocol=udp dst -port =53 [admin@Rout erOS] > /ip rewall nat add act ion=dst -nat chain=dst nat connect ionmark=domain.com-forward t o-addresses=10.0.4.11 [admin@Rout erOS] > /ip rewall nat add act ion=masquerade chain=srcnat connect ionmark=domain.com-forward

T hats it. You should now be able to communicate with any hostname within each of those domains. You can use ping/telnet or any other method of your chosing to verif y the settings. I have simply pinged one of my Yubikey servers in the example.com domain. [mac@localhost ~]$ ping ykval01.example.com PING ykval01.example.com (10.0.1.31) 56(84) byt es of dat a. 64 byt es from 10.0.1.31: icmp_seq=1 t t l=63 t ime=4.53 ms 64 byt es from 10.0.1.31: icmp_seq=2 t t l=63 t ime=4.53 ms 64 byt es from 10.0.1.31: icmp_seq=3 t t l=63 t ime=4.33 ms 64 byt es from 10.0.1.31: icmp_seq=4 t t l=63 t ime=4.34 ms ^C --- ykval01.example.com ping st at ist ics --4 packet s t ransmit t ed, 4 received, 0% packet loss, t ime 3004ms rt t min/avg/max/mdev = 4.332/4.436/4.538/0.129 ms [mac@localhost ~]$