How to configure Mikrotik to direct port 53 to a DNS with RPZ security

Introduction

There are two ways to configure it, via CLI or GUI. I’ll explain each method:

Using CLI, it would be as follows:

# Configuración para redirigir el tráfico DNS (UDP y TCP) al puerto 53
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect to-ports=53
/ip firewall nat add chain=dstnat protocol=tcp dst-port=53 action=redirect to-ports=53

# Configuración del servidor DNS del MikroTik para utilizar la IP xxx.xxx.xxx.xxx
/ip dns set servers= xxx.xxx.xxx.xxx

# Habilitar el uso de caché DNS en el router para permitir solicitudes remotas
/ip dns set allow-remote-requests=yes

Using GUI, it would be as follows:

These images correspond to the DNS traffic redirection

../_images/mkt1.png ../_images/mkt2.png ../_images/mkt3.png ../_images/mkt4.png

This image shows the configuration of the RPZ IP and the cache usage enablement

../_images/mkt5.png

Brief summary of the aforementioned options

1- DNS Traffic Redirection to Port 53: Configures firewall rules to capture all DNS traffic (both UDP and TCP) using port 53 and redirect it to the router itself. This ensures that all name resolution requests pass through the router, regardless of the DNS server the network devices try to use.

2- DNS Server Configuration in MikroTik: Specifies the DNS server that the router will use to resolve DNS requests. This configuration allows MikroTik to act as an intermediary, redirecting requests to the configured DNS server (for example, a public or private DNS server).

3- Allow Remote Requests and DNS Cache Usage: Enables the router to accept DNS resolution requests from devices connected to the local network. By doing this, MikroTik can act as a DNS server for the network, resolving queries and storing the responses in cache to improve performance.