Tuesday, February 2, 2010

Mikrotik RouterOS and domain (active directory) DNS requests forwarding

I'm using mikrotik router at home, with RB150 constantly handling connection to provider (PPPoE) and to my office (VPN over internet).
However since router is using provider's DNS, it is not possible to work with shared folders or perform any other domain tasks (while office IPs are readily accessible). Anything using active directory will fail, since any computer in home won't be able to resolve domain controllers.

How to fix this:
1. added layer7 matcher for \x06\x5Fmsdcs\x08mydomain\x03com
(you need to replace mydomain.com with your domain address).
each domain part preceded with \x and number of characters in hex, \x5F is  _ symbol.
whenever computer tries to find active directory servers it requests for multiple DNS records all ending with _msdcs.yourdomain.com.

/ip firewall layer7-protocol
add comment="" name=activedirectory regexp=\
    "\\x06\\x5Fmsdcs\\x06itsoft\\x02by"


2. added mangle to mark dns request packets matching our layer7 rule and our dns server as destination

/ip firewall mangle
add action=mark-packet chain=prerouting comment="" disabled=no dst-address=\
    192.168.0.200 dst-port=53 layer7-protocol=activedirectory \
    new-packet-mark=activedirectory passthrough=yes protocol=udp


3. added dst-nat rule to route active directory specific requests to actual domain server

/ip firewall nat
add action=dst-nat chain=dstnat comment=\
    "forward active directory DNS requests" disabled=no dst-port=53 \
    packet-mark=activedirectory protocol=udp to-addresses=10.10.0.201 \
    to-ports=53


that's all. it works, at least in my particular configuration.
may be there are easier solutions, but I wasn't able to find any.

1 comment: