Paksa client untuk pakai DNS server ISP

Bikin scheduler sekitar 1 menit untuk mengecek kondisi DNS server ISP apakah On atau Down, jika down maka akan dialihkan ke DNS public, jika On maka akan diset untuk menggunakan DNS ISP.

Berikut script untuk dipasang pada scheduler mikrotik

 :do {

    [:resolve dnstest.domain.net.id server="103.1.1.1"];

    :if ([/ip dns get server] != "103.1.1.1") do={

        /ip dns set servers="103.1.1.1"

        /ip fire nat set [find comment=dns] disable=no

        :log warning "update to Internal DNS"

    }

} on-error={

    /ip dns set servers=8.8.8.8,8.8.4.4

    /ip fire nat set [find comment=dns] disable=yes

    :log warning "update to public DNS"

    }

 Pakai DNS ISP

/ip firewall nat

add action=dst-nat chain=dstnat comment=dns dst-port=53 protocol=udp to-addresses=103.1.1.1

add action=dst-nat chain=dstnat comment=dns dst-port=53 protocol=tcp to-addresses=103.1.1.1

Atau diredirect untuk pakai DNS Mikrotik 

/ip firewall nat

add action=redirect chain=dstnat dst-port=53 protocol=udp

add action=redirect chain=dstnat dst-port=53 protocol=tcp

Config Nginx Untuk Halaman Block DNS

semua halaman diarahkan ke index.html

server {

listen 80 default_server;

listen [::]:80 default_server;

root /var/www/html;

index index.html;

server_name _;

location / {

try_files $uri $uri/ =404;

}

error_page 404 /index.html;

error_page 500 502 503 504 /index.html;

location = /index.html {

root /var/www/html;

internal;

}

}

server {

root /var/www/html;

index index.html;

    server_name _;

location / {

try_files $uri $uri/ =404;

}

    error_page 404 /index.html;

    error_page 500 502 503 504 /index.html;

    location = /index.html {

        root /var/www/html;

        internal;

    }

    listen [::]:443 ssl ipv6only=on;

    listen 443 ssl;

    ssl_certificate /etc/letsencrypt/live/blocked.domain.net.id/fullchain.pem;

    ssl_certificate_key /etc/letsencrypt/live/blocked.domain.net.id/privkey.pem;

    include /etc/letsencrypt/options-ssl-nginx.conf;

    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

}

vyOS "routing socket reports: No buffer space available"

 ini artinya conntrack_max sudah full, solusinya bisa dinaikkan nilainya dengan konsekwensi pemakaian RAM bertambah, atau bisa dimatikan saja trackingnya dengan cara berikut ini:

configure

set system conntrack ignore rule 10 description "stateless firewall"

set system conntrack ignore rule 10 protocol all

commit

save

exit

referensi:

https://support.vyos.io/en/support/solutions/articles/103000096273-system-optimization

https://community.ui.com/questions/Disable-the-ability-for-the-nfconntrack-table-to-become-full/8897cb01-70fd-489f-8cef-00e0af90a21b