Mikrotik DNS Redirect

Recently, we needed to check if any computers inside of a given network were configured to use OpenDNS servers. In our case, the router (10.10.100.1) is acting as a DNS cache and configured to query upstream DNS servers. What we want to do is first catch any internal IP address using OpenDNS IP addresses (208.67.222.222 or 208.67.220.220) and then place them into a list for tracking purposes. The first two rules look for outbound traffic to OpenDNS IP’s and dynamically add the internal LAN IP making the request(s) to a list (‘OpenDNS Client 222’ or ‘OpenDNS Client 220’):

[sourcecode language=”plain”]/ip firewall nat

add action=add-src-to-address-list address-list=OpenDNS address-list-timeout=0s chain=dstnat comment="OpenDNS Clients 222" disabled=no dst-address=208.67.222.222

add action=add-src-to-address-list address-list=OpenDNS address-list-timeout=0s chain=dstnat comment="OpenDNS Clients 220" disabled=no dst-address=208.67.220.220[/sourcecode]

Next, we redirect DNS queries (both UDP and TCP) to our router’s IP address:

[sourcecode language=”plain”]add action=dst-nat chain=dstnat comment="Redirect OpenDNS 222 TCP" disabled=no dst-address=208.67.222.222 dst-port=53 protocol=tcp to-addresses=10.10.100.1 to-ports=53

add action=dst-nat chain=dstnat comment="Redirect OpenDNS 222 UDP" disabled=no dst-address=208.67.222.222 dst-port=53 protocol=udp to-addresses=10.10.100.1 to-ports=53

add action=dst-nat chain=dstnat comment="Redirect OpenDNS 220 TCP" disabled=no dst-address=208.67.220.220 dst-port=53 protocol=tcp to-addresses=10.10.100.1 to-ports=53

add action=dst-nat chain=dstnat comment="Redirect OpenDNS 220 UDP" disabled=no dst-address=208.67.220.220 dst-port=53 protocol=udp to-addresses=10.10.100.1 to-ports=53[/sourcecode]

This example can be modified to fit other circumstances. For example, we used a similar rule-set to catch and redirect computers infected by the DNSChanger Trojan.