DNS Server Configuration
DNS Server Configuration
Section titled “DNS Server Configuration”TL;DR (Quick Start)
Section titled “TL;DR (Quick Start)”Enable DNS server for LAN clients:
/ip dns set servers=8.8.8.8,1.1.1.1 allow-remote-requests=yesAdd a static DNS entry:
/ip dns static add name=server.local address=192.168.88.100Verify configuration:
/ip dns print/ping server.localOverview
Section titled “Overview”
What this covers: Configuring your MikroTik router as a DNS server for your local network, including caching and static entries.
When to use this:
- You want LAN devices to use the router for DNS resolution
- You need local hostname mappings (e.g.,
printer.local,nas.local) - You want to reduce external DNS queries through caching
- You want faster DNS resolution for frequently accessed domains
How it works:
- Router receives DNS queries from LAN clients
- Checks local static entries first
- Checks cache for previously resolved queries
- Forwards unknown queries to upstream DNS servers
- Caches responses for future queries
Prerequisites:
- A MikroTik router running RouterOS 6.x or later
- Working internet connection with upstream DNS access
- Basic understanding of IP addressing
Configuration
Section titled “Configuration”Step 1: Configure Upstream DNS Servers
Section titled “Step 1: Configure Upstream DNS Servers”Set the DNS servers your router will use for resolution:
/ip dns set servers=8.8.8.8,1.1.1.1This configures Google DNS (8.8.8.8) as primary and Cloudflare DNS (1.1.1.1) as secondary.
Step 2: Enable DNS for LAN Clients
Section titled “Step 2: Enable DNS for LAN Clients”Allow devices on your network to use the router as their DNS server:
/ip dns set allow-remote-requests=yesSecurity
Enabling allow-remote-requests opens UDP/TCP port 53 on ALL interfaces. You MUST add firewall rules to block external DNS access, or your router becomes an open DNS resolver that attackers can abuse.
Step 3: Add Firewall Protection
Section titled “Step 3: Add Firewall Protection”
Block DNS queries from the WAN interface:
/ip firewall filter add chain=input protocol=udp dst-port=53 \ in-interface-list=WAN action=drop comment="Block external DNS"/ip firewall filter add chain=input protocol=tcp dst-port=53 \ in-interface-list=WAN action=drop comment="Block external DNS TCP"If you don’t use interface lists, specify your WAN interface directly:
/ip firewall filter add chain=input protocol=udp dst-port=53 \ in-interface=ether1 action=drop comment="Block external DNS"Step 4: Configure DHCP to Distribute DNS
Section titled “Step 4: Configure DHCP to Distribute DNS”Ensure DHCP clients receive the router as their DNS server:
/ip dhcp-server network set [find] dns-server=192.168.88.1Replace 192.168.88.1 with your router’s LAN IP address.
Step 5: Verify Configuration
Section titled “Step 5: Verify Configuration”Check DNS settings:
/ip dns printExpected output:
servers: 8.8.8.8,1.1.1.1 dynamic-servers: use-doh-server: verify-doh-cert: no allow-remote-requests: yes max-udp-packet-size: 4096 query-server-timeout: 2s query-total-timeout: 10s max-concurrent-queries: 100 max-concurrent-tcp-sessions: 20 cache-size: 2048KiB cache-max-ttl: 1w cache-used: 42KiBTest DNS resolution:
/ping google.com count=1Static DNS Entries
Section titled “Static DNS Entries”Static DNS entries let you create local hostnames that resolve to specific IP addresses.
Adding Static Entries
Section titled “Adding Static Entries”Create entries for local resources:
/ip dns static add name=nas.local address=192.168.88.50 comment="Network storage"/ip dns static add name=printer.local address=192.168.88.51 comment="Office printer"/ip dns static add name=server.local address=192.168.88.100 comment="Local server"Wildcard Entries
Section titled “Wildcard Entries”Use regex for wildcard matching:
/ip dns static add name=".*\\.local\$" type=FWD forward-to=192.168.88.100 \ regexp=yes comment="Forward all .local to server"View Static Entries
Section titled “View Static Entries”/ip dns static printExpected output:
Flags: D - DYNAMIC; X - DISABLED, I - INVALID; M - MATCH-SUBDOMAINSColumns: NAME, ADDRESS, TTL# NAME ADDRESS TTL0 nas.local 192.168.88.50 1d1 printer.local 192.168.88.51 1d2 server.local 192.168.88.100 1dTest Static Entry
Section titled “Test Static Entry”/ping nas.local count=1Cache Management
Section titled “Cache Management”View Cache Statistics
Section titled “View Cache Statistics”/ip dns printCheck cache-used to see current cache utilization.
View Cached Entries
Section titled “View Cached Entries”/ip dns cache printFlush DNS Cache
Section titled “Flush DNS Cache”Clear all cached entries:
/ip dns cache flushAdjust Cache Size
Section titled “Adjust Cache Size”For networks with many clients or heavy DNS usage:
/ip dns set cache-size=8192KiBAdvanced Configuration
Section titled “Advanced Configuration”DNS over HTTPS (DoH)
Section titled “DNS over HTTPS (DoH)”RouterOS 7.x supports DNS over HTTPS for encrypted DNS queries:
/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yesIncrease Cache TTL
Section titled “Increase Cache TTL”Keep entries cached longer (reduces external queries but may serve stale data):
/ip dns set cache-max-ttl=2wQuery Timeouts
Section titled “Query Timeouts”Adjust timeouts for slow upstream servers:
/ip dns set query-server-timeout=5s query-total-timeout=15sTroubleshooting
Section titled “Troubleshooting”Problem 1: LAN Clients Cannot Resolve DNS
Section titled “Problem 1: LAN Clients Cannot Resolve DNS”Symptoms: Clients get “DNS server not responding” errors.
Checks:
/ip dns print# Verify allow-remote-requests=yesSolutions:
- Enable remote requests:
/ip dns set allow-remote-requests=yes
- Verify DHCP is distributing the router as DNS:
/ip dhcp-server network print
- Check firewall isn’t blocking internal DNS:
/ip firewall filter print where dst-port=53
Problem 2: Router Cannot Resolve External Domains
Section titled “Problem 2: Router Cannot Resolve External Domains”Symptoms: /ping google.com fails with “could not resolve”.
Checks:
/ip dns print# Check servers field has valid DNS IPs
/ping 8.8.8.8 count=1# Verify upstream connectivitySolutions:
- Set upstream DNS servers:
/ip dns set servers=8.8.8.8,1.1.1.1
- Check internet connectivity and routing
- If using DoH, verify certificate settings:
/ip dns set verify-doh-cert=no
Problem 3: Static Entry Not Working
Section titled “Problem 3: Static Entry Not Working”Symptoms: Local hostname doesn’t resolve despite static entry.
Checks:
/ip dns static print# Verify entry exists with correct name/addressSolutions:
- Verify exact name match (check for typos)
- Flush cache and retry:
/ip dns cache flush
- Ensure client is using router as DNS server
- Check for conflicting entries:
/ip dns static print where name~"hostname"
Problem 4: DNS Amplification Attack
Section titled “Problem 4: DNS Amplification Attack”Symptoms: High CPU, bandwidth usage; router responding to external DNS queries.
Security Issue
If your router is answering DNS queries from the internet, it’s being used in DNS amplification attacks. This is a serious security issue.
Solution: Add firewall rules immediately:
/ip firewall filter add chain=input protocol=udp dst-port=53 \ in-interface-list=WAN action=drop place-before=0/ip firewall filter add chain=input protocol=tcp dst-port=53 \ in-interface-list=WAN action=drop place-before=1Problem 5: Slow DNS Resolution
Section titled “Problem 5: Slow DNS Resolution”Symptoms: Websites take a long time to load initially.
Checks:
/ip dns print# Check cache-used vs cache-sizeSolutions:
- Increase cache size:
/ip dns set cache-size=8192KiB
- Use faster upstream DNS (try Cloudflare 1.1.1.1)
- Check upstream server response time:
/tool traceroute 8.8.8.8
Verification Commands
Section titled “Verification Commands”# Show DNS configuration/ip dns print
# List static entries/ip dns static print
# Show cached entries/ip dns cache print
# Test resolution from router/ping hostname.example.com count=1
# Check cache usage/ip dns print where cache-usedRelated Topics
Section titled “Related Topics”Prerequisites
Section titled “Prerequisites”- IP Address Configuration - router LAN IP for DNS server
DNS Distribution
Section titled “DNS Distribution”- DHCP Server - distribute DNS settings to clients automatically
- DHCP Relay - DNS option passed through relay
Security
Section titled “Security”- Firewall Basics - protect DNS service from external access
- Firewall Mangle - redirect DNS queries
Related Services
Section titled “Related Services”- NTP Client - time synchronization (DNS depends on correct time for DoH)
- Certificates - required for DNS over HTTPS
Reference
Section titled “Reference”Official Documentation
Section titled “Official Documentation”- MikroTik DNS Documentation - Complete DNS reference
- MikroTik DoH Guide - DNS over HTTPS configuration
Quick Reference Commands
Section titled “Quick Reference Commands”# Configure DNS/ip dns set servers=8.8.8.8,1.1.1.1 allow-remote-requests=yes
# Static entries/ip dns static add name=X address=Y/ip dns static remove [find name=X]/ip dns static print
# Cache management/ip dns cache print/ip dns cache flush
# Diagnostics/ip dns print/ping hostnameSummary
Section titled “Summary”DNS server configuration involves:
- Set upstream servers - Configure which DNS servers handle external queries
- Enable for LAN - Set
allow-remote-requests=yes - Secure the service - Block external access with firewall rules
- Configure DHCP - Distribute router as DNS to clients
- Add static entries - Create local hostname mappings as needed
Key points:
- Always add firewall rules when enabling
allow-remote-requests - Static entries take precedence over cached/upstream results
- Flush cache after making changes or when troubleshooting
- Consider DoH for encrypted DNS queries (RouterOS 7.x)