Block anydesk/teamviewer

rmuhammadali · March 1, 2024, 9:21am

Dear all,
We are using mikrotik routerboard 750gr3 RouterOS 6.49.8 and want to block anydesk/teamviewer traffic from LAN. We have tried to block this with L7 protocol regex, but it will not work. Secondly we tried using capturing destination ips but the rule is not fetching any destination ips. Please help to resolve this issue that how we can block anydesk/teamviewer connectivity and traffic from LAN.

Regards
RMAK

patrikg · March 1, 2024, 10:13am

I think this could be done with dns, so you reply with some bogus ip.
Because teamviewer connect to the server to get to the end point, so if you get all dns request names to the teamviewer servers you can block these.

Standard query 0x84b9 A router7.teamviewer.com
Standard query 0x3743 AAAA router7.teamviewer.com

Maybe just dns response with 127.0.0.1 to *.teamviewer.com

Don’t know anything about Anydesk, how there remote systems works.
But I think it’s similar.

And of course force all LAN dns trafic to your own dns.

Mesquite · March 1, 2024, 10:55am

I dont think so, thats a DPI problem that MT is not best suited to intercept. I could be wrong though.

rmuhammadali · March 2, 2024, 4:38am

This could not work, please suggest some other way. It will not detect any traffic.

I think this could be done with dns, so you reply with some bogus ip.
Because teamviewer connect to the server to get to the end point, so if you get all dns request names to the teamviewer servers you can block these.
Standard query 0x84b9 A router7.teamviewer.com
Standard query 0x3743 AAAA router7.teamviewer.com
Maybe just response with 127.0.0.1 to *.teamviewer.com

Don’t know anything about Anydesk, how there remote systems works.
But I think it’s similar.

And of course force all LAN dns trafic to your own dns.

patrikg · March 2, 2024, 6:28am

Do you know how teamviewer get it’s endpoint ip from ?
You have some serialnumber ID, and the client uses that to the server to get it’s endpoint ip.
So if you block this connection to the server, the client can’t get it’s endpoints ip.
Maybe also teamviewer has some static ip to the server, in there client so if the client dns fails.
But if so you could just block this ip’s as well.
And if the connection has cgnat or nat, all trafic goes to the teamviewers servers.

There are lots of ways how these connection works, this describe one.

Client (register it’s public and open ip session) ↔ Server ↔ (register it’s public ip and open ip session) Client
Client (trafic) ↔ Server ↔ (trafic) Client

And can you describe what goes wrong, not just telling me, that’s wrong.

DarkNate · March 2, 2024, 6:33am

What happens if the software uses port TCP:443 for the relaying of the connection?

Or use randomised DNS hostnames that flow over encrypted DoH of the client software itself?

You can’t just “block” everything without some downsides.

massinia · March 2, 2024, 6:39am

Maybe something like this can work for teamviewer too
http://forum.mikrotik.com/t/block-youtube-on-computers-and-smartphone-apps/160031/86

Obviously replace youtube with the one you want to block

patrikg · March 2, 2024, 6:57am

@DarkNate

Please don’t feed the trolls with food.
You can even say IF you use vpn, you get away from many blocks.
All solutions have some weak point somewhere even a door.

rmuhammadali · March 2, 2024, 7:05am

We have adopted this way to block web traffic, but this method is not working in case of anydesk/teamviewer. Anydesk/Teamviewer is using multiple servers and even mikrotik is not captureing traffic with these rules.

Regards
RMAK

rmuhammadali · March 7, 2024, 3:37am

I have add below DNS Static records and it works for me very good.

NAME REGEXP TYPE ADDRESS TTL

0 TeamViewer .?teamviewer.com A 127.0.0.1 1d
1 AnyDesk .?anydesk.com A 127.0.0.1 1d
2 Ammy .?rl.ammyy.com A 127.0.0.1 1d

But the only problem is, teamviewer/anydesk/ammyy will be blocked for every one, no exception for anyone. If some one help and share if possible to add exception for lan ip in dns static records.

patrikg · March 7, 2024, 8:58am

Thank you for confirm that my hypothesis worked for you, and maybe also for others.
Sorry to say this solution isn’t 100% like also @DarkNate says.
Because you can always use like vpn or another trix to circumstance these blocks.
Like use of another DNS, you can block these DNS requests with force all port 53 traffic goes to your DNS. I think you have some guides to do that if you search in this forum.
Search terms : DNS MANGLE NAT

opqroot · November 10, 2024, 10:40am

Sorry, I’m new to the scene, after added this static records the outcome should be what actually? How can I prove that this configuration on my Tik is right. After trying for teamviewer the website still open and the application still indicate green dots. Thanks in advance

holvoetn · November 10, 2024, 3:01pm

As indicated above, you can not simply block it using Tik HW.

patrikg · November 10, 2024, 7:09pm

What dns are you using with the pc ?
Do you use the router dns ?? That answers to *.teamviewer.com to ip adress 127.0.0.1.
If you using another dns you circumstance this block.
You can also make a mangle rule i think, to direct all udp 53 traffic to the router ip.
So the clients can’t use another dns.

opqroot · November 13, 2024, 3:08am

I used google DNS and tried to block using L7 it is successful however it can be bypassed using any DoH