DNS Redirection on MikroTik for your office domain


Executive Member
Feb 18, 2009
So I got sick and tired of adding hostnames for each and every internal server's IP address at my home...

I finally came up with a few MikroTik firewall rules that would allow you to resolve and reverse DNS lookup internal names from your office's DNS server, while performing ALL other DNS queries from your default (ISP) DNS servers.

For example, my setup looks as follow:
  • My office is using the *.mydomain.co.za domain name for all our servers
  • Most of our servers share public IP addresses, but each one of them have unique internal IP addresses (192.168.*.*). I need access to the internal IP addresses, because SSH is only enabled from inside
  • The DNS server is hosted on
My primary DNS server on my home MikroTik is Google's DNS server:

For instance if I'll try and lookup www.kalahari.net, then my MikroTik will query it from
Whenever I try to lookup anything.mydomain.co.za, then the Layer-7 regular expression matches and then the DNS query is forwarded to my office's DNS server, which will respond with like IP address. Without the rule, I would've gotten something like and then not be able to get SSH access to anything.mydomain.co.za.
The regular expression would also match the reverse DNS lookups (192.168.*.* - please take note that the IP range is in reverse in the regular expression), like when I would lookup, it would also forward the DNS lookup to my office's DNS server and reply with like myhost.mydomain.co.za, instead of 'Non-existent domain' that would give me.

/ip firewall layer7-protocol
add name="MyDomain DNS" regexp=\

/ip firewall nat
add action=masquerade chain=srcnat comment="NAT to MyDomain DNS" disabled=no dst-address= dst-port=53 \
add action=dst-nat chain=dstnat disabled=no dst-address-type=local dst-port=53 layer7-protocol="MyDomain DNS port forward" \
    protocol=udp to-addresses= to-ports=53

If you're using those rules, please remember to change:
  1. the mydomain.co.za, with your own office's internal hostnames/domain.
  2. the IP address with your DNS server address of your office
  3. [0-9]+.[0-9]+.168.192 part of the regular expression with the reverse of your office's internal IP range. Like [0-9]+.[0-9]+.168.192 is the reverse of 192.168.[0-9]+.[0-9] aka 192.168.*.*

I hope this is useful to some of you guys out there who are using VPN connections to your office :D

We have Neotel Neobroadband 5Mbps Fiber at our office, but we had endless issues with it, where a reset of the Cisco router fixed it. Luckily the colleague of mine had a network diagram (with the VLAN tags), so we simply removed our Cisco router (that Neotel gave us) and plugged it in directly on our MikroTik RB1100 and now our Internet is pumping again.
Last edited: