Configuring Mikrotik to use OpenDNS | Phy2Vir

An IT Blog covering anything from Physical to Virtual in I.T

Configuring Mikrotik to use OpenDNS

If you haven’t heard about openDNS, it is a service which offers free web filtering DNS servers. I have used their servers both at home and at customers who offer free WiFi access to their customers. Many times there are a lot of children connecting tablets and similar devices to these networks,especially if the WiFi is available in public places, and therefore it is very important that the users can safely browse the internet.

OpenDNS allows you to use their servers without registering. Just point the router to their servers, 208.67.222.220 & 208.67.222.222, and you’re done.

To set-up a MikroTik router to use these servers, you first need to make sure that you are not using your ISP’s, Peer, DNS servers. To disable the PeerDNS on an internet facing interface that uses a DHCP client:

  1. we will list all the dhcp clients that are running.

/ip dhcp-client print

The output should look something like this:

In this case there is only one DHCP client.

  1. Now we will disable using PeerDNS on DHCP client 0

/ip dhcp-client set use-peer-dns=no

To disable PeerDNS on a PPPoE client interface, similarly type

/interface pppoe-client set use-peer-dns=no 0

  1. To configure your router to use the openDNS servers type

/ip dns set server=208.67.222.220,208.67.222.222

This will provide you with basic filtering. You will not have control on what is blocked and what is allowed.

To be able to control which content is allowed and which is blocked, you need to set-up an account on openDNS.com . For home use, there are free options. Once you set-up an account, you have to label the IP address you are connecting with. Your current IP address will be bound to this label. The IP is used to identify you such that the filtering rules you set are applied.

When you have a dynamic address, like in most cases, you need to run an agent on a computer, connected to the home network, that will update your profile if your IP address changes. I decided that this update should be done by the router since it is always connected. To do this on a MikroTik router you need to:

  • Ensure that the label set-up in openDNS is marked as dynamic

  • Configure the DNS servers and disable PeerDNS as explained earlier
  • Copy and Paste the below script in a terminal window on your router and make sure that you change the details in the variables openDNSUsername, openDNSPassword & openDNSHostname. A script will be created and named OpenDNS.
/system script
add name=OpenDNS policy=read,test source="#\r\
 \n# Variables\r\
 \n#\r\
 \n:local openDNSUsername \"<email address>\"\r\
 \n:local openDNSPassword \"<openDNS password>\"\r\
 \n:local openDNSHostname \"<label>\"\r\
 \n \r\
 \n#\r\
 \n# Script\r\
 \n#\r\
 \n/tool fetch url=\"https://updates.opendns.com/nic/update\?system=dyndns&hostname=\$openDNSHostname\" \\\r\
 \n user=\"\$openDNSUsername\" password=\"\$openDNSPassword\" \\\r\
 \n mode=https keep-result=no"
  • Next we need to schedule the above script to run at an interval, say 1 hour. The below command line will configure a scheduler named “Update openDNS Account” which will be set to run every hour.
/system scheduler
 add comment="Update Open DNS Dynamic IP" disabled=no interval=1h name=\
  "Update openDNS Account" on-event=OpenDNS policy=\
  read,test start-date=jan/01/1970 start-time=16:00:00

The openDNS script was taken from the Mikrotik forum. Thanks go to the author of the post, efaden

http://forum.mikrotik.com/viewtopic.php?f=2&t=70227&view=previous#p390831

UPDATE – The script and schedule commands have been updated because the policies set were not allowing it to run properly when scheduled. Let me know in the comments section if you have any issues.


18 Comments

  • How do I ensure that all clients connected to my router use only the router supplied dns servers? I have seen some firewall entries on the router but the information on them is a tad confusing. Which work?

    • Hi Pranav,
      you can set a dst-nat filter rule as described in the Forwarding a port to an internal IP

      What you need to do is remove the dst-address to make sure that all DNS requested pointed to any server is caught with the rule
      Set protocol=udp and dst-port=53. These are the protocol and ports used when performing DNS requests
      Set to-addresses=your router ip
      Remove to-ports or change it to-ports=53
      Original From Wiki:
      /ip firewall nat add chain=dstnat dst-address=69.69.69.69 protocol=tcp dst-port=5900 \
      action=dst-nat to-addresses=192.168.1.101 to-ports=5900

      My Suggestion
      /ip firewall nat add chain=dstnat protocol=udp dst-port=53 \
      action=dst-nat to-addresses=192.168.1.1 to-ports=53

      Hope this is helpful

      Thanks for visiting

      • i have 4 wan, evry wan is dynamic ip,
        i want to update each wan with each opendns labe,

        as

        for wan 1
        :local openDNSUsername “uname”
        :local openDNSPassword “pass”
        :local openDNSHostname “wan1”
        :local WANInter “ether1

        for wan 2
        :local openDNSUsername “uname”
        :local openDNSPassword “pass”
        :local openDNSHostname “wan2”
        :local WANInter “ether2

        for wan 3
        :local openDNSUsername “uname”
        :local openDNSPassword “pass”
        :local openDNSHostname “wan3”
        :local WANInter “ether3

        • Hi,
          In my example, the mikrotik is used as a DNS server for clients. Since only 1 DNS server exists, in my opinion, it does not make sense to create multiple labels for each internet connection since the router will issue DNS queries from only one of the internet connections. What you are asking would make sense to update a DDNS (Dynamic DNS) service which I am sure you know that OpenDNS does not offer that.

          I do not know how the 4 internet connections are used but as long as the router can use the same connection to query the OpenDNS servers as the one in the label, i.e dns requests and https(for the script to update) go out from the same interface, you should not have an issue and filtering rules will be applied as per the label settings in OpenDNS.
          Hope my answer is clear.

          Good luck and thanks for commenting 🙂

  • Great post. Thank you for sharing.
    I have one comment, on my Mikrotik 6.38.1 The system scheduler script doesn’t take the “\”

    • Hi Fernando,
      thanks for your feedback. Much appreciated.
      If you are referring to the “\” in “interval=1h name=\” and “on-event=OpenDNS policy=\” it is only there because the command continues on a separate line. If you type it all in one line it is not needed.
      I tried it on my RB750 with 6.38.1 and it worked perfectly.

      Thanks again
      Brian

    • Hi,

      yes it works with a minor tweak. At some point when upgrading my router I noticed this was not working for me too. I realised the script needed additional permissions to run. I didn’t have time to check which permissions were needed but since this is a script I personally trust, I gave it full permissions from within the scheduler window and the script window in winbox.

      In command line it would be something similar to:
      for Script:
      /system script add dont-require-permissions=yes name=OpenDNS owner=admin policy=\
      ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="
      ETC ETC ”
      For Scheduler:
      /system scheduler add comment="Update Open DNS Dynamic IP" interval=30m name="Update OPENDNS Account" on-event=OpenDNS policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=feb/17/2014 start-time=10:54:46

      Please note that I copied from my mikrotik and put them here. Please change items as necessary.

      I am using this on firmware 6.45.7. I urge you to update to the latest version due to some new vulnerabilities which have been discovered.
      Hope you find this useful.

  • Thank you for your help. I couldn’t find how to disable the ISP supplied dynamic DNS, but they’re now not showing under /ip dns print

    I think these both should be PPPOE (I got an error with the command as shown, added the extra p and all good):

    To disable PeerDNS on a PPOE client interface, similarly type

    /interface ppoe-client set use-peer-dns=no 0

Post a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Free Advertisement

    Advertisements
    hostifi.net
  • Advertisements
    Microsoft Office 365 Backup
  • Advertisements
  • Google Ads

    Advertisements
  • Connect with me

  • Site Menu

  • Follow me on Twitter

  • Advertisements