How to use a mikrotik router as a dns server and add static dns records for internal servers in your lan network

How To Use A Mikrotik Router As A DNS Server And Add Static DNS Records For Internal Servers In Your LAN Network.

Back in th 1970’s there was no standard method for networks to communicate and it took the work of two men, Vint Cerf and Bob Kahn to come up with the well known internet protocol which led to the development of many technologies used today such as DNS. A system such as DNS associates and keeps a record of domain names such as billysoftacademy.com and their corresponding numerical IP addresses. Mikrotik routers ship with a built in DNS server and can perform the functions that a standard DNS server is expected to. This tutorial provides a guide on how to use a Mikrotik router as a DNS server on a LAN network. You will also learn how to add static DNS records and also protect the DNS server from DDOS attacks.

REQUIREMENTS

In order to complete this tutorial successfully the following items are required. Please ensure to have these items available before taking implementation action on this tutorial:
1) A mikrotik router or the cloud hosted router running routeros version.
2) A mikrotik user account with access rights to make DNS changes.
3) The winbox application and / or the winbox mobile app.
4) A laptop or desktop running Windows 7 64 bit or newer.

OVERVIEW

1) Download the Winbox desktop app, open it and login to the mikrotik router.
2) Click on IP > DNS SERVER, set a default DNS lookup address and allow remote requests.
3) Learn how to add static DNS entry for network applications such as a web server and an email server.
4) Learn how to protect the mikrotik DNS Server from DDOS attacks.

Step 1: Download The Winbox App And Login To A Mikrotik Router.

1) A mikrotik device can be configured using an SSH console, its built it web based configuration tool, the winbox desktop and mobile apps. The most populator configuration tool for mikrotik is the Winbox application. Click HERE to download winbox from the official mikrotik download page. Once downloaded, open Winbox and click on the Neighbours tab. You should see the Mac address and IP address of all Mikrotik routers on your LAN. Double click on the IP address of the router you would like to configure then type in your username and password and click on CONNECT.

2) Click on IP > DNS to open the DNS configuration page and click on the ALLOW REMOTE REQUESTS option.

3) If you run a self hosted email server, web server or remote desktop server it is a good idea to add static DNS entries to those servers so end users can simply connect using an easy to remember domain name. To add a static DNS entry click on the STATIC button and click on the ADD button. On the NEW DNS STATIC ENTRY window type in a fully qualified domain name, select the type of DNS record that you are adding on the TYPE dropdown menu and type in the IP address that you would like to map the domain name to. Mikrotik DNS supports almost all types of DNS records such as A, AAAA , MX , TXT, SRV, NXDOMAIN records and more.

4) The next step is to add a Mikrotik firewall rule that forces all LAN devices to direct all DNS queries to the Mikrotik DNS server. To do this click on the NEW TERMINAL button on the WINBOX navigation bar and type the following commands.

ip firewall nat add chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53 to-address=192.168.55.1 comment=”DIRECT ALL DNS REQUESTS TO MIKROTIK INTERNAL DNS SERVER.”

*replace the to-address with the LAN address of the mikrotik router.

5) If you would like to view resolved DNS queries that are saved on the DNS cache on the Mikrotik router click on IP > DNS > CACHE.

6) The next step is to protect the Mikrotik DNS Server by adding firewall rules to block incoming DNS requests on the WAN or internet facing interface. This can help to prevent DNS flooding attacks from malicious attackers on the web. Run the following commands:

ip firewall filter.

add action=drop chain=input dst-port=53 protocol=udp
add action=drop chain=input dst-port=53 protocol=tcp