Skip to content
MikroTik RouterOS Docs

DNS Server Configuration

DNS Server Configuration

Section titled “DNS Server Configuration”

TL;DR (Quick Start)

Section titled “TL;DR (Quick Start)”

Enable DNS server for LAN clients:

/ip dns set servers=8.8.8.8,1.1.1.1 allow-remote-requests=yes

Add a static DNS entry:

/ip dns static add name=server.local address=192.168.88.100

Verify configuration:

/ip dns print
/ping server.local

Overview

Section titled “Overview”

What this covers: Configuring your MikroTik router as a DNS server for your local network, including caching and static entries.

When to use this:

  • You want LAN devices to use the router for DNS resolution
  • You need local hostname mappings (e.g., printer.local, nas.local)
  • You want to reduce external DNS queries through caching
  • You want faster DNS resolution for frequently accessed domains

How it works:

  1. Router receives DNS queries from LAN clients
  2. Checks local static entries first
  3. Checks cache for previously resolved queries
  4. Forwards unknown queries to upstream DNS servers
  5. Caches responses for future queries

Prerequisites:

  • A MikroTik router running RouterOS 6.x or later
  • Working internet connection with upstream DNS access
  • Basic understanding of IP addressing

Configuration

Section titled “Configuration”

Step 1: Configure Upstream DNS Servers

Section titled “Step 1: Configure Upstream DNS Servers”

Set the DNS servers your router will use for resolution:

/ip dns set servers=8.8.8.8,1.1.1.1

This configures Google DNS (8.8.8.8) as primary and Cloudflare DNS (1.1.1.1) as secondary.

Step 2: Enable DNS for LAN Clients

Section titled “Step 2: Enable DNS for LAN Clients”

Allow devices on your network to use the router as their DNS server:

/ip dns set allow-remote-requests=yes

Security

Enabling allow-remote-requests opens UDP/TCP port 53 on ALL interfaces. You MUST add firewall rules to block external DNS access, or your router becomes an open DNS resolver that attackers can abuse.

Step 3: Add Firewall Protection

Section titled “Step 3: Add Firewall Protection”

Block DNS queries from the WAN interface:

/ip firewall filter add chain=input protocol=udp dst-port=53 \
    in-interface-list=WAN action=drop comment="Block external DNS"
/ip firewall filter add chain=input protocol=tcp dst-port=53 \
    in-interface-list=WAN action=drop comment="Block external DNS TCP"

If you don’t use interface lists, specify your WAN interface directly:

/ip firewall filter add chain=input protocol=udp dst-port=53 \
    in-interface=ether1 action=drop comment="Block external DNS"

Step 4: Configure DHCP to Distribute DNS

Section titled “Step 4: Configure DHCP to Distribute DNS”

Ensure DHCP clients receive the router as their DNS server:

/ip dhcp-server network set [find] dns-server=192.168.88.1

Replace 192.168.88.1 with your router’s LAN IP address.

Step 5: Verify Configuration

Section titled “Step 5: Verify Configuration”

Check DNS settings:

/ip dns print

Expected output:

                      servers: 8.8.8.8,1.1.1.1
              dynamic-servers:
               use-doh-server:
              verify-doh-cert: no
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1w
                   cache-used: 42KiB

Test DNS resolution:

/ping google.com count=1

Static DNS Entries

Section titled “Static DNS Entries”

Static DNS entries let you create local hostnames that resolve to specific IP addresses.

Adding Static Entries

Section titled “Adding Static Entries”

Create entries for local resources:

/ip dns static add name=nas.local address=192.168.88.50 comment="Network storage"
/ip dns static add name=printer.local address=192.168.88.51 comment="Office printer"
/ip dns static add name=server.local address=192.168.88.100 comment="Local server"

Wildcard Entries

Section titled “Wildcard Entries”

Use regex for wildcard matching:

/ip dns static add name=".*\\.local\$" type=FWD forward-to=192.168.88.100 \
    regexp=yes comment="Forward all .local to server"

View Static Entries

Section titled “View Static Entries”
/ip dns static print

Expected output:

Flags: D - DYNAMIC; X - DISABLED, I - INVALID; M - MATCH-SUBDOMAINS
Columns: NAME, ADDRESS, TTL
#   NAME            ADDRESS         TTL
0   nas.local       192.168.88.50   1d
1   printer.local   192.168.88.51   1d
2   server.local    192.168.88.100  1d

Test Static Entry

Section titled “Test Static Entry”
/ping nas.local count=1

Cache Management

Section titled “Cache Management”

View Cache Statistics

Section titled “View Cache Statistics”
/ip dns print

Check cache-used to see current cache utilization.

View Cached Entries

Section titled “View Cached Entries”
/ip dns cache print

Flush DNS Cache

Section titled “Flush DNS Cache”

Clear all cached entries:

/ip dns cache flush

Adjust Cache Size

Section titled “Adjust Cache Size”

For networks with many clients or heavy DNS usage:

/ip dns set cache-size=8192KiB

Advanced Configuration

Section titled “Advanced Configuration”

DNS over HTTPS (DoH)

Section titled “DNS over HTTPS (DoH)”

RouterOS 7.x supports DNS over HTTPS for encrypted DNS queries:

/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes

Increase Cache TTL

Section titled “Increase Cache TTL”

Keep entries cached longer (reduces external queries but may serve stale data):

/ip dns set cache-max-ttl=2w

Query Timeouts

Section titled “Query Timeouts”

Adjust timeouts for slow upstream servers:

/ip dns set query-server-timeout=5s query-total-timeout=15s

Troubleshooting

Section titled “Troubleshooting”

Problem 1: LAN Clients Cannot Resolve DNS

Section titled “Problem 1: LAN Clients Cannot Resolve DNS”

Symptoms: Clients get “DNS server not responding” errors.

Checks:

/ip dns print
# Verify allow-remote-requests=yes

Solutions:

  1. Enable remote requests: 
    /ip dns set allow-remote-requests=yes
  2. Verify DHCP is distributing the router as DNS: 
    /ip dhcp-server network print
  3. Check firewall isn’t blocking internal DNS: 
    /ip firewall filter print where dst-port=53

Problem 2: Router Cannot Resolve External Domains

Section titled “Problem 2: Router Cannot Resolve External Domains”

Symptoms: /ping google.com fails with “could not resolve”.

Checks:

/ip dns print
# Check servers field has valid DNS IPs


/ping 8.8.8.8 count=1
# Verify upstream connectivity

Solutions:

  1. Set upstream DNS servers: 
    /ip dns set servers=8.8.8.8,1.1.1.1
  2. Check internet connectivity and routing
  3. If using DoH, verify certificate settings: 
    /ip dns set verify-doh-cert=no

Problem 3: Static Entry Not Working

Section titled “Problem 3: Static Entry Not Working”

Symptoms: Local hostname doesn’t resolve despite static entry.

Checks:

/ip dns static print
# Verify entry exists with correct name/address

Solutions:

  1. Verify exact name match (check for typos)
  2. Flush cache and retry: 
    /ip dns cache flush
  3. Ensure client is using router as DNS server
  4. Check for conflicting entries: 
    /ip dns static print where name~"hostname"

Problem 4: DNS Amplification Attack

Section titled “Problem 4: DNS Amplification Attack”

Symptoms: High CPU, bandwidth usage; router responding to external DNS queries.

Security Issue

If your router is answering DNS queries from the internet, it’s being used in DNS amplification attacks. This is a serious security issue.

Solution: Add firewall rules immediately:

/ip firewall filter add chain=input protocol=udp dst-port=53 \
    in-interface-list=WAN action=drop place-before=0
/ip firewall filter add chain=input protocol=tcp dst-port=53 \
    in-interface-list=WAN action=drop place-before=1

Problem 5: Slow DNS Resolution

Section titled “Problem 5: Slow DNS Resolution”

Symptoms: Websites take a long time to load initially.

Checks:

/ip dns print
# Check cache-used vs cache-size

Solutions:

  1. Increase cache size: 
    /ip dns set cache-size=8192KiB
  2. Use faster upstream DNS (try Cloudflare 1.1.1.1)
  3. Check upstream server response time: 
    /tool traceroute 8.8.8.8

Verification Commands

Section titled “Verification Commands”
# Show DNS configuration
/ip dns print


# List static entries
/ip dns static print


# Show cached entries
/ip dns cache print


# Test resolution from router
/ping hostname.example.com count=1


# Check cache usage
/ip dns print where cache-used
Section titled “Related Topics”

Prerequisites

Section titled “Prerequisites”

DNS Distribution

Section titled “DNS Distribution”
  • DHCP Server - distribute DNS settings to clients automatically
  • DHCP Relay - DNS option passed through relay

Security

Section titled “Security”
Section titled “Related Services”
  • NTP Client - time synchronization (DNS depends on correct time for DoH)
  • Certificates - required for DNS over HTTPS

Reference

Section titled “Reference”

Official Documentation

Section titled “Official Documentation”

Quick Reference Commands

Section titled “Quick Reference Commands”
# Configure DNS
/ip dns set servers=8.8.8.8,1.1.1.1 allow-remote-requests=yes


# Static entries
/ip dns static add name=X address=Y
/ip dns static remove [find name=X]
/ip dns static print


# Cache management
/ip dns cache print
/ip dns cache flush


# Diagnostics
/ip dns print
/ping hostname

Summary

Section titled “Summary”

DNS server configuration involves:

  1. Set upstream servers - Configure which DNS servers handle external queries
  2. Enable for LAN - Set allow-remote-requests=yes
  3. Secure the service - Block external access with firewall rules
  4. Configure DHCP - Distribute router as DNS to clients
  5. Add static entries - Create local hostname mappings as needed

Key points:

  • Always add firewall rules when enabling allow-remote-requests
  • Static entries take precedence over cached/upstream results
  • Flush cache after making changes or when troubleshooting
  • Consider DoH for encrypted DNS queries (RouterOS 7.x)