Hi,
I found that article but it seems to be old (2012), can someone help us?
We have a customer where some computers (production/botton fabric) where they should have access only to Windows Update and Antivírus servers address on the internet.
Another option, if available is to create a routing policy for that computers in a way to limit their DNS requests…
Article for reference:
https://wiki.mikrotik.com/wiki/Use_host_names_in_firewall_rules
tks,
Renato P
With current RouterOS, you can use hostnames in address list directly instead of numeric addresses. But finding the right hostnames to use might be the tricky part.
Hi sob, tks for quick reply.
So should I understand to be able to use something like that?
/ip firewall address-list add address=wiki.mikrotik.com comment=wiki.mikrotik.com list=host_mikrotik
Yeah - if you know the exact hostnames that are to be used, then you can list them all in the address list as you posted, along with a forward rule like this:
in-interface=lan out-interface=wan dst-address-list=!host_mikrotik action=drop
This would block all outbound access except to IP addresses referenced by the hostnames in your list.
Note that this is based on IP address, so any IPs that host other services would be accessible by clients, so this isn’t a 100% airtight solution, but it’s 99.9999% airtight. It will certainly block facebook, youtube, hulu, cnn, twitter, etc.
If you want to force all DNS to use only your server, you can do one of two things:
block outbound dns queries in the forward chain
or
redirect all dns queries in the dstnat chain
i.e.: chain=dstnat protocol=udp dst-port=53 in-interface=lan action=redirect
(duplicate this for tcp because dns can use tcp as well, even though it’s not that common right now)