DNS
Summary
Section titled “Summary”The DNS (Domain Name System) feature in RouterOS provides both a DNS resolver for the router itself and the ability to serve DNS queries to network clients. The DNS resolver supports traditional UDP/TCP DNS queries as well as DNS over HTTPS (DoH) for enhanced privacy and security.
This documentation covers the /ip dns menu configuration, including static DNS entries, dynamic cache management, and DNS over HTTPS (DoH) settings for secure DNS resolution.
Command Path
Section titled “Command Path”The main DNS configuration is located at:
- DNS Settings:
/ip dns
DNS Settings
Section titled “DNS Settings”The DNS settings menu controls how the router resolves domain names and serves DNS to network clients.
Basic Configuration
Section titled “Basic Configuration”/ip dns set server=8.8.8.8,1.1.1.1 allow-remote-requests=yesserver (string; Default: )
Specifies the IP addresses of upstream DNS servers. Multiple servers can be specified as a comma-separated list. The router will query these servers when resolving domain names.
allow-remote-requests (yes | no; Default: no)
Controls whether the router accepts DNS queries from network clients. When enabled, the router acts as a DNS server for the network, resolving queries using its configured DNS servers and serving responses from its DNS cache.
Static DNS Entries {#static-dns-entries}
Section titled “Static DNS Entries {#static-dns-entries}”Static DNS entries allow you to define custom hostname-to-IP mappings that take precedence over upstream DNS responses.
/ip dns static add address=192.168.88.1 name=router.lan/ip dns static add address=10.0.0.1 name=server.local/ip dns static add address=::1 name=localhostCommon Static Entry Queries {#common-static-queries}
Section titled “Common Static Entry Queries {#common-static-queries}”Common use cases for static DNS entries:
| Query Type | Example |
|---|---|
| Local router | router.local, router.lan, router |
| Network devices | printer.local, NAS, cam.local |
| Internal services | mail.internal, fileserver.local, homeassistant.local |
| IPv6 localhost | localhost (::1) |
View all static entries:
/ip dns static printRemove a static entry:
/ip dns static remove [find name="router.lan"]Dynamic DNS Cache
Section titled “Dynamic DNS Cache”The router maintains a cache of recently resolved DNS queries. View the cache with:
/ip dns cache printClear the DNS cache:
/ip dns cache flushDNS over HTTPS (DoH)
Section titled “DNS over HTTPS (DoH)”DNS over HTTPS (DoH) encrypts DNS queries using the HTTPS protocol, providing improved privacy and security by preventing eavesdropping and manipulation of DNS traffic.
/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yesuse-doh-server (string; Default: )
Specifies the URL of the DNS over HTTPS server. When configured, the router will use HTTPS to resolve DNS queries instead of traditional UDP/TCP DNS.
verify-doh-cert (yes | no; Default: yes)
Controls whether the router verifies the SSL certificate of the DoH server. When enabled, the router validates the DoH server’s certificate to ensure secure communication.
DoH Provider URL Examples
Section titled “DoH Provider URL Examples”The following are common DNS over HTTPS provider URLs:
| Provider | DoH URL |
|---|---|
| Cloudflare | https://cloudflare-dns.com/dns-query |
| https://dns.google/dns-query | |
| Quad9 | https://dns.quad9.net/dns-query |
Cloudflare DoH Example
Section titled “Cloudflare DoH Example”/ip dns set server=8.8.8.8 use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yesGoogle DoH Example
Section titled “Google DoH Example”/ip dns set server=8.8.4.4 use-doh-server=https://dns.google/dns-query verify-doh-cert=yesQuad9 DoH Example
Section titled “Quad9 DoH Example”/ip dns set server=9.9.9.9 use-doh-server=https://dns.quad9.net/dns-query verify-doh-cert=yesPractical Examples
Section titled “Practical Examples”Basic DNS Server for Network
Section titled “Basic DNS Server for Network”Configure the router as a DNS server for your network:
/ip dns set allow-remote-requests=yes server=8.8.8.8,1.1.1.1/ip dns static add address=192.168.88.1 name=router.local/ip dns static add address=192.168.88.10 name=printer.localDNS over HTTPS with Certificate Verification
Section titled “DNS over HTTPS with Certificate Verification”Enable encrypted DNS resolution using Cloudflare’s DoH service:
/ip dns set allow-remote-requests=yes use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yesDual Stack DNS with DoH
Section titled “Dual Stack DNS with DoH”Configure DNS servers for both IPv4 and IPv6 with DoH:
/ip dns set server=8.8.8.8,2001:4860:4860::8888 use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yesSecurity Considerations
Section titled “Security Considerations”DNS Amplification Protection
Section titled “DNS Amplification Protection”Enabling allow-remote-requests=yes configures the router to act as a recursive DNS resolver for network clients. This is useful for local DNS caching, but it also exposes the router to potential DNS amplification attacks where attackers exploit the DNS service to amplify traffic toward victim targets.
The router’s built-in firewall does not protect against amplification attacks. You must add explicit firewall rules to rate-limit DNS responses.
Option 1: Rate-limit DNS responses (recommended if you need DNS caching)
# Allow DNS queries with rate limiting to prevent amplification/ip firewall filter add chain=input protocol=udp dst-port=53 \ action=accept limit=50/1s,100 log=yes \ log-prefix="DNS_RateLimit"
# Drop excess DNS queries that exceed rate limit/ip firewall filter add chain=input protocol=udp dst-port=53 \ action=drop log=yes log-prefix="DNS_Drop_Overflow"
# Allow established/related connections/ip firewall filter add chain=input connection-state=established,related action=acceptOption 2: Disable remote requests (if you don’t need DNS caching)
If you only need DNS for the router itself and not for network clients, disable remote requests:
/ip dns set allow-remote-requests=noThis is the most secure option as it prevents the router from being used in amplification attacks entirely.
Why Rate Limiting Matters
Section titled “Why Rate Limiting Matters”DNS amplification works as follows:
- Attacker sends small DNS query to your router with spoofed source IP (victim’s IP)
- Router responds with a much larger DNS response to the victim
- Victim receives amplified traffic, causing DoS
Rate limiting limits how many responses your router will send per second, making it ineffective as an amplification reflector.
Troubleshooting
Section titled “Troubleshooting”Verify DNS Resolution
Section titled “Verify DNS Resolution”Test DNS resolution from the router:
/ping google.comOr use the DNS lookup tool:
/tool dns-lookup name=google.comTo specify a custom server:
/tool dns-lookup name=example.com server=8.8.8.8Note: The scripting expression
[:resolve name=example.com]is only available inside RouterOS scripts and scheduled tasks — it cannot be used as a bare CLI command.
Check DNS Cache
Section titled “Check DNS Cache”View cached DNS entries:
/ip dns cache printView DNS Settings
Section titled “View DNS Settings”Display current DNS configuration:
/ip dns printCommon Issues
Section titled “Common Issues”DNS queries not resolving
- Verify the upstream DNS server addresses are correct
- Check network connectivity to the DNS servers
- Ensure firewall is not blocking DNS traffic (port 53)
DoH not working
- Confirm
use-doh-serverURL is correct - Ensure
verify-doh-cert=yesis set for secure connections - Check that the router has HTTPS (port 443) outbound access
Related Features
Section titled “Related Features”- DHCP Server - DNS servers are often distributed via DHCP (
/ip dhcp-server network) - Firewall NAT - DNS traffic can be redirected for transparent DNS filtering
- IP Settings - Kernel-level network configuration (
/ip settings)
References
Section titled “References”- RFC 8484 - DNS Queries over HTTPS (DoH)
- Cloudflare DoH Documentation
- Google DoH Documentation
- Quad9 DoH Documentation