We are setting up networking on a boat and this boat has both a LTE-connection and a Starlink connection.
The Starlink connection has a data cap on 50Gb/month.
The LTE has unlimited data.
Microsoft has some of their domains as wildcard domains and we would like to allow connections to them.
We can’t do this in “Address lists” because it doesn’t support wildcard and I understand why .
Do anybody out there know how we could solve this?
I’ve read a few threads from people who are upset that this doesn’t work on Mikrotik and a common response is the issue for the Mikrotik to DNS check every possible subdomain. I understand that the Mikrotik can’t do that
However, if the Mikrotik was able to run as a relay for all DNS-questions, which it is, it should be possible to use that function for allowing access to wildcard domains?
Example:
I ask for wildcard.office.com and the Mikrotik can see that it’s a subdomain to office.com and because I have allowed *.office.com it should allow the connection.
If you can force all the devices to use the router as DNS server (no custom DNS server/DoH/DoT configured on the client devices) then you can achieve what you described with static FWD DNS entries
You need to create static DNS entries for the domains, wildcards / regexp works here, set the type to FWD and specify the IP address of an upstream DNS server. This upstream server will resolve the address. What important is that with this entry you can specify an address list name. Whenever a client queries for the matching domain/subdomain, the resolved IP addresses will be automatically added to the specified address list, and stay there until the TTL of the domain expires. You can use the address list in your firewall rules.
a router is not a good device to block/allow URLs
firewall can block protocols, ports, IP addresses etc.
DNS server can give bogus responses (effectively blocking) to DNS queries
there is nothing for URL filtering, especially because most of the internet uses HTTPS
So just to make it more clear for the next person asking
You have to use your Mikrotik router as the DNS-server for your clients, otherwise this won’t work.
I have set my DHCP to provide all my clients with the router IP-address as DNS server.
I have also set my domain server to forward all external requests to my routers IP-address.
Then I went to IP->DNS and pressed the button named Static.
Press the + button and add a record like this:
Name: google.com
Regexp: I leave empty
Type: FWD
TTL: I leave as is
If I also want all the subdomains for google.com to be included. Lets say I want to enable mail.google.com at the same time, i check the box “Match Subdomains”.
Address List: Here I write the name of the list. Ex. “All my Google services”.
Address: 8.8.8.8
What this will do is as soon as somebody asks the router for the dns records for mail.google.com it will resolv the IP-addresses and put those IP-addresses in the Address list “All my Google services”. If someone asks for smtp.google.com it will resolv that too and add those IP-addresses to the address list “All my Google services”.
Now I can make a firewall rule that allows communication to the address list “All my Google services” and I’m good to go.
AT LEAST FOUR ISSUES WITH THIS TO BE AWARE OF!!!
1, The 8.8.8.8 address you put in the static record is the only DNS-server that will be able to solve *.google.com for you. You can’t add a secondary DNS-server for this (I belive).
2, You will shortly have a huge list .
3, You can’t add the same record to two different lists. But you can have multiple firewall rules with different address lists. I have sorted this by creating a list for “All my Google services” and another list for “All my Microsoft services” and a third list for “Allow Teamviewer” and so on.
Then I create a new firewall rule for each list that need to be accessible for each VLAN.
4, If no clients asks for “something.google.com” the list isn’t really created so you can’t add it to a firewall rule. The list is created when someone tries to resolv a record in the list. You can bypass this by simply create the address list manually, then you can add it to a firewall rule and the static entry will expand that list automatically.
I really hope that this will help someone in my situation .
I can totally understand the predicament. However when using the static DNS entry with FWD it actually works really good .
It would be a great function if it was possible to do a FWD to the external DNS-servers added to the router itself. The fact that I now have to rely on a single DNS-server is not optimal .
It would also be really cool if one could add the same record to multiple lists but thats minutiae .
Nowdays most internet connections are pretty unrestricted so this is a no brainer but when using for example Starlink in a marine environment we have to setup the connection very carefully with lots of restrictions.
We primarily block everything and then open communication for email, sharepoint and maybe Whatsapp or similar.
And to open communication for exchange online demands a lot of IP-addresses to be added and some of them aren’t listed by Microsoft but are only listed as *.outlook.com. The static FWD record solves this issue for us and I’m very grateful for that .
.