# DNS Redirect Rules Backup

**Date:** 2026-01-27
**Reason:** Temporarily disabled during VLAN migration
**Status:** DISABLED - to be re-enabled after VLAN setup complete

## NAT Rules (dstnat)

| # | Comment | Chain | Action | Src Address | Dst Port | To Address | To Port |
|---|---------|-------|--------|-------------|----------|------------|---------|
| 3 | Allow MikroTik AdGuard outbound DNS | dstnat | accept | 172.17.0.0/24 | 53/udp | - | - |
| 25 | Allow Unraid AdGuard outbound DNS | dstnat | accept | 192.168.31.4 | 53/udp | - | - |
| 26 | Allow Unraid AdGuard outbound DNS TCP | dstnat | accept | 192.168.31.4 | 53/tcp | - | - |
| 27 | Redirect DNS to MikroTik AdGuard | dstnat | dst-nat | 192.168.31.0/24 | 53/udp | 172.17.0.2 | 53 |
| 28 | Redirect DNS to MikroTik AdGuard TCP | dstnat | dst-nat | 192.168.31.0/24 | 53/tcp | 172.17.0.2 | 53 |
| 30 | DNS over TLS (DoT) | dstnat | dst-nat | in-interface=eth1_WAN | 853/tcp | 172.17.0.2 | 853 |
| 31 | DNS over HTTPS (DoH) | dstnat | dst-nat | in-interface=eth1_WAN | 8443/tcp | 172.17.0.2 | 443 |
| 32 | Redirect VLAN DNS to AdGuard | dstnat | dst-nat | src-address-list=all-vlans | 53/udp | 172.17.0.2 | 53 |
| 33 | Redirect VLAN DNS to AdGuard TCP | dstnat | dst-nat | src-address-list=all-vlans | 53/tcp | 172.17.0.2 | 53 |

## NAT Rules (srcnat - masquerade)

| # | Comment | Chain | Action | Src Address | Dst Address | Dst Port |
|---|---------|-------|--------|-------------|-------------|----------|
| 8 | Masquerade DNS to MikroTik AdGuard | srcnat | masquerade | 192.168.31.0/24 | 172.17.0.2 | 53/udp |
| 9 | Masquerade DNS to MikroTik AdGuard TCP | srcnat | masquerade | 192.168.31.0/24 | 172.17.0.2 | 53/tcp |
| 34 | Masquerade VLAN DNS to AdGuard | srcnat | masquerade | src-address-list=all-vlans | 172.17.0.2 | 53/udp |
| 35 | Masquerade VLAN DNS to AdGuard TCP | srcnat | masquerade | src-address-list=all-vlans | 172.17.0.2 | 53/tcp |

## Filter Rules (forward - allow DNS)

| # | Comment | Chain | Action | Src Address List | Dst Address | Dst Port |
|---|---------|-------|--------|------------------|-------------|----------|
| 12 | VLAN: IoT to DNS | forward | accept | vlan-iot | 192.168.31.1 | 53/udp |
| 14 | VLAN: IoT to DNS TCP | forward | accept | vlan-iot | 192.168.31.1 | 53/tcp |
| 16 | VLAN: Cameras to DNS | forward | accept | vlan-cameras | 192.168.31.1 | 53/udp |
| 18 | VLAN: Guest to DNS | forward | accept | vlan-guest | 192.168.31.1 | 53/udp |
| 51 | VLAN: Kids to DNS | forward | accept | vlan-kids | 192.168.31.1 | 53/udp |

## Re-enable Commands

When ready to restore DNS redirect to AdGuard:

```routeros
# Enable NAT redirect rules
/ip firewall nat enable [find comment~"Redirect DNS" or comment~"Masquerade DNS"]

# Note: Filter rules (VLAN to DNS) should remain enabled - they just allow traffic
```

## Notes

- Rules 27, 28, 32, 33 are the main redirect rules that force DNS through AdGuard
- Rules 8, 9, 34, 35 are masquerade rules needed for AdGuard container to work
- Rules 3, 25, 26 allow AdGuard containers to make outbound DNS queries
- Filter rules 12, 14, 16, 18, 51 allow VLAN devices to reach DNS - these are OK to keep