Tuesday, 22 April 2025
Upgrading to the Mikrotik RouterBoard RB2011, Part 3 - DNS
This is Part 3 of my RB2011 series - if you want to start from the start, [here's Part 1](https://blog.themillhousegroup.com/2025/01/upgrading-to-mikrotik-routerboard.html). You can find the [whole series here](https://blog.themillhousegroup.com/search/label/routerboard).
We're part-way through replacing the `dnsmasq` instance on the Raspberry Pi (which does DHCP, DNS and ad-blocking via Pi-Hole-style `0.0.0.0` resolution).
To minimise interruption to network users, we're doing this in a staged manner, gradually moving services over to the RB2011. DHCP is [done](https://blog.themillhousegroup.com/2025/03/upgrading-to-mikrotik-routerboard.html) so we now have the Routerboard providing leases to everyone, but the lease points back to the Pi for DNS. We'll set up DNS now, because _local-device_ name resolution will actually be in a bit of a mess (i.e. it won't work at all) - let's fix that!
### DNS on RouterOS v7
The [Mikrotik DNS server](https://help.mikrotik.com/docs/spaces/ROS/pages/37748767/DNS) is pretty straightforward to configure. All we have to do is set the upstream DNS server (the ISP router) and allow external connections:
```
[admin@MikroTik] > /ip/dns/set servers=10.240.0.1
[admin@MikroTik] > /ip/dns/set allow-remote-requests=yes 
```
Then we change our global DHCP server config to start serving the RB2011 as the DNS server:
```
[admin@MikroTik] > /ip/dhcp-server/network/set numbers=0 dns-server=10.240.0.11 
```
We should also add a manual entry for the Raspberry Pi, which used to "just know" its own address but now we need to be explicit:
```
[admin@MikroTik] > /ip/dns/static/add name=pi1 address=10.240.0.200 ttl=9000 
```
And also, the Pi needs to be told to use the RB2011 for DNS now:
*`/etc/resolv.conf`:*
```
# Use the Mikrotik RouterBoard RB2011:
nameserver 10.240.0.11
```
Whew!
As DHCP clients start getting their new DNS settings (or you can force-renew one if you're impatient) you'll start to see the _IP_ -> _DNS_ -> _Cache_ page in the web UI start to fill up. Mostly with absolute crap, but that's t'Internet for you...
### Adlist functionality
For me, the key advantage of running my own DNS server is ad-blocking via the Pi-Hole or ["DNS sinkhole"](https://en.wikipedia.org/wiki/DNS_Sinkhole) mechanism - in short, DNS requests for known ad-serving domains get the answer `0.0.0.0` which stops resolution in its tracks. RouterOS has full support for this, and it even uses the same format for the blocked-domain list as [Pi-Hole](https://docs.pi-hole.net/database/gravity/#adlist-table-adlist) so the transition from the Pi couldn't be easier.
I like to use my own "curated" adlist as _sometimes_ it's useful to be able to comment-out a line, when it turns out certain extremely-annoying apps actually *need* access to one of those spammy domains. To do this, _push_ your adlist file from the Pi onto the RB2011 using `scp`:
```
pi $ scp /etc/dnsmasq.blockfiles/dnsmasq.blocklist.txt admin@mikrotik:adlist.txt
```
And enable it in the RB2011:
```
[admin@MikroTik] > /ip/dns/adlist/add file=adlist.txt 
```
And that's it! Allow some time for all the DHCP clients to get told about their new DNS settings, and then we can turn off `dnsmasq` on the Pi for good!
```
pi $ sudo service dnsmasq stop
```
P.S. don't forget to `/system/backup/save` again on the RB2011!
Subscribe to:
Comments (Atom)

