Mikrotik RouterOS – Conditional DNS-forward

One of the big pains of having a complete network of L2TP/IPSec-devices is that you have to have DNS servers at each site, or run a central DNS-server which could be slow to reach and the users start complaining about slow internet.
This is a simple config-script to allow you to run your central DNS only on internal domains, and everything else on.. well, any DNS you want.

Notes:
The script creates a new pre-routing connection-mark, checking if the DNS-lookup on the router, port 53 is looking for something with “yourdomain.local”. When it is, it DST-NATs and forwards the packet to your internal DNS without doing anymore processing.

It assumes you use the router/gateway as DNS-server with remote requests enabled in DNS-setup.

# The domain you want to be able to look up
:global DOMAIN yourdomain.local  

# This is needed because the script won't allow a variable and a dash.. so no "$DOMAIN-forward"
:global CONMARK yourdomain.local-forward

# The LAN ip of your router
:global ROUTER 192.168.0.1

# The DNS-server where you look up "yourdomain.local"
:global DNSSERVER 1.1.1.10

/ip firewall layer7-protocol add name=$DOMAIN regexp=$DOMAIN
/ip firewall mangle add chain=prerouting dst-address=$ROUTER layer7-protocol=$DOMAIN action=mark-connection new-connection-mark=$CONMARK protocol=tcp dst-port=53
/ip firewall mangle add chain=prerouting dst-address=$ROUTER layer7-protocol=$DOMAIN action=mark-connection new-connection-mark=$CONMARK protocol=udp dst-port=53
/ip firewall nat add action=dst-nat chain=dstnat connection-mark=$CONMARK to-addresses=$DNSSERVER
/ip firewall nat add action=masquerade chain=srcnat connection-mark=$CONMARK

http://blog.degree.no/2013/10/mikrotik-routeros-conditional-dns-forward/