Here I will show you how to easily and securely set up your MikroTik RouterOS router to resolve host names using DNS servers you specify and also how to set it up to cache names for other devices on the network.
Do you need a DNS?
Yes you do. DNS stands for Domain Name System. In short it translates human readable websites like bbc.co.uk to the “real” IP addresses that they reside behind 220.127.116.11 for example.
Do you need to cache DNS queries?
No, but why wouldn’t you? If you operate a relatively active network then it will certainly help you, if the router already knows what IP resolves for a particular host name it will then serve that up rather than going to the internet and back to find out, this can cut page load times down by quite a few ms depending on the round trip time to your internet based DNS server.
To do this you’re going to want to make sure you have Winbox installed, log into your router and go the IP > DNS and make sure you have a screen that looks similar to the below.
This is your basic DNS settings page, to configure DNS servers. Dynamic servers will appear in the greyed out box but if you want to specify your own click the down arrow and enter in your chosen DNS server locations. To enable cacheing, click the “Allow Remote Requests” tick box. You can leave the other settings as they are if this is a small or residential network. If you are running a bigger network, you may want to increase Mac Concurrent Queries, TCP Sessions and Cache Size.
If we open up a terminal now and ping some random websites they should resolve and you can click on the “Cache” button to see your cache filling up with your host names and corresponding resolved IP addresses.
Finally we want to secure ourselves against the evil of the internet using our DNS server for amplification attacks and in general from using our resources. If the router is internet facing you will want to add a couple of lines to your firewall if you haven’t already that drop inbound DNS requests from the WAN (note that it’s important to drop them from the WAN only otherwise your internal requests will drop as well).
You can use the below code to achieve this, ensure to change yout WAN interface to the relevant one from your router:
/ip firewall filter add action=drop chain=input comment="DROP DNS FROM WAN" dst-port=53 in-interface=WAN-INTERFACE protocol=udp add action=drop chain=input comment="DROP DNS FROM WAN" dst-port=53 in-interface=WAN-INTERFACE protocol=tcp
That’s it! You’re done.
You can now point any device to your router and it will cache and resolve your DNS queries for you. If you want to go another step further you can also tell the router to hand out itself through the IP > DHCP-Server > Networks and double clicking your chosen network. Just add in the IP of your router next to DNS Servers for the router to hand out itself as the DNS server to all DHCP clients.