hello
please i need a way to change user profile dns so that some users can’t access to forbidden websites. I don’t want to block all the users, just a specific user profile.
Thanks
how do you propose to block certain sites if https ???
Simple answer:
Change your mind or buy something that does it on purpose with deep packet inspection (and doesn’t always guess it)
Simple demonstration of how to get around the block in no time:
https://mikrotik-com.translate.goog/?_x_tr_sl=auto&_x_tr_tl=lv&_x_tr_hl=lv&_x_tr_pto=wapp
And this is just 1 of thousand of methods, from VPN, to TOR, to proxy(*), to…
You must have Zero Trust on any blocking methods ( 
@anav )
Just if you phisically control the device that the user use you can do something.
Topic SOLVED, after this line all is useless.
Try researching untangle.
( @rextended, everytime you think of me, check mail)
I think opendns has a good service so I want to add these ip dns for a specific user profile
I used to use opendns but now I do DOH with adguard dns
could you tell me how does DOH Adguard works?
DoH is integrated on new browser and smartphone, you can not modify the (DoH) DNS used if you do not have physical access to the device.
Hi rextended. Understood its not completely able to direct all dns requests but its pretty good for the average user.
For example on my iphone I can play games without ads, ITS WONDERFUL. So please dont disparage all attempts for a better experience LOL.
Yes any hacker highschool kid can get around most things but its still a useful option.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
My recipe for DOH on MT for adguard. ( using normis, excellent video )
/ip dns
set allow-remote-requests=yes servers=94.140.14.15,94.140.15.16 use-doh-server=https://family.adguard-dns.com/dns-query verify-doh-cert=yes *********
The tricky part is the first part adding the CerT!!
Go to this website…
https://adguard-dns.io/en/welcome.html
Click on the LOCK SIGN right next to the URL itself.
Select “CONNECTION SECURE” in the popup.
Select “MORE INFORMATION” at the bottom of the popup!
In the next popup select the LOCK ICON SECURTY ( it should default to this selection )
Choose VIEW CERTIFICATE
Select the USERTRUST RSA certificate (far right option)
Scroll down to Miscellaneous and download the PEM (cert)
Upload the downloaded file into your files folder in MT device.
Then go to SYSTEM–> Certificates on MT
Use import function to select the certificate just uploaded and put in files.
Ensure the settings above are now entered. **********
Ensure no ISP dns dynamic servers are available.
Go to IP FIREWALL NAT
add chain=dstnat action=redirect protocol=tcp dst-port=53
add chain=dstnat action=redirect protocol=udp dst-port=53
DONE.
Ok I see
But is it possible to redirect a specific profile user with DOH
Well my example affects the entire router.
If you wanted to do it per a subnet that would be workable.
On a per user basis, until the user figured out how to change IP or subnet.
Although the request is silly, the DOH blocks bad sites spam malicious ads etc, who doesnt want that.
If you need porn then you have a sad life anyway.