[SOLVED] [Mikrotik] DNS requests and NAT rule

[derek wildstar]

Hi,
I read in another forum that in order to redirect any DNS request coming from you own LAN's clients to your Mikrotik router this rule may comes in handy:

add action=dst-nat chain=dstnat comment="Make Mikrotik preferred dns server" dst-port=53 protocol=udp to-addresses=192.168.1.1 to-ports=53

as far as I've understood, it basically forces every client's DNS requests, even those with DNS servers set in properties, to go through your Mikrotik router.
What is not clear to me is whether the rule above prevents clients from sending dns requests to any DNS server out of your LAN;
I mean, it blocks them before getting to internet via WAN
OR, say,
it first intercepts the responses coming from DNS servers out there (like google etc), then they are read by Mikrotik (in the case above 192.168.1.1), and finally Mikrotik provides the DNS reply to the client which made the request.
I hope it is clear.
Thanks

 

[bill001g]

This likely will not work much longer when microsoft releases secure DNS to prevent interception. ISP are doing this crap and it hurts performance as well as them collecting information.

What it does is take any outgoing DNS request (ie port 53) and change the ip address in the packet to be the router. So in effect it is as if the user put the ip of the router in to start with.

It is/was a good way to try to prevent bypassing filter rules but a determined user can use DNS servers that run on other ports or just put entries in his host table.

 

[derek wildstar]

This likely will not work much longer when microsoft releases secure DNS to prevent interception. ISP are doing this crap and it hurts performance as well as them collecting information.

What it does is take any outgoing DNS request (ie port 53) and change the ip address in the packet to be the router. So in effect it is as if the user put the ip of the router in to start with.

It is/was a good way to try to prevent bypassing filter rules but a determined user can use DNS servers that run on other ports or just put entries in his host table.

Since I am a noob when it comes to computer networking and Mikrotik stuff in particular, I am having a hard time trying to figure out how it works.
I thought that the typical and only usage of dst NAT was to redirect incoming packets with a destination of a public address/port to a private IP address/port inside mynetwork. In fact, I have alwasy used it to open port to, say, softwares like torrent or emule. I didn't know that the other way round was true too, that is, redirecting packets coming from my LAN to another IP of my LAN itself by changing their destiantion IP headers. Did I get it?
Thanks

 

[bill001g]

This is what happens when you get a device that has features that are mostly of little value to home users.

Nat is extremely powerful and can be very confusing. Most users can not even setup simple port forwarding so consumer router tend to not allow a lot of options.

Nat can pretty much change any field in the ip header. You can change both the source and destination IP as well as the ports. What "source" and "destination" means depends on the direction the traffic is going.

Think about the case where you have 2 network maybe in different companies and they both use 192.168.1.x for their subnet but you still want any-any communication. You can use NAT to pretend the other network actually was say assigned 192.168.2.x without actually changing the IP addresses on either end.

 

[derek wildstar]

This is what happens when you get a device that has features that are mostly of little value to home users.

Nat is extremely powerful and can be very confusing. Most users can not even setup simple port forwarding so consumer router tend to not allow a lot of options.

Nat can pretty much change any field in the ip header. You can change both the source and destination IP as well as the ports. What "source" and "destination" means depends on the direction the traffic is going.

Think about the case where you have 2 network maybe in different companies and they both use 192.168.1.x for their subnet but you still want any-any communication. You can use NAT to pretend the other network actually was say assigned 192.168.2.x without actually changing the IP addresses on either end.

Ok
anyway, I'd like to make sure that I've understood this "little" part of the NAT, that is, if dst-nat can be used to change IP packets' headers either coming from LAN or WAN (internet for example). Did I get it right?
Thanks again

 

[bill001g]

I forget the exact syntax on the mikrotik stuff. The confusing part is traffic that goes LAN----> WAN what is called destination would be some IP address say on the internet. When traffic goes WAN====> LAN the destination is a IP on your local network. Source and destination swap places depending on the direction of the traffic. You can manipulate this pretty much in any way you can think of.

You want really confusing look up what is called NAT on a stick. The wan/lan interface is the SAME interface.

 

[derek wildstar]

You want really confusing look up what is called NAT on a stick. The wan/lan interface is the SAME interface.

No thanks. No need to make things more confusing than they are already for me now