“Voilà! shit”, but have you tried it?
Browsers will still use https/TLS anyway,
it’s not that QUIC is the only thing that exists.
MikroTik Routers and RouterOS cannot do Deep Packet Inspection [DPI] so any site that uses HTTPS:\ [like YouTube, Facebook, etc.] cannot be inspected and blocked … to do that you need to have the Router/Hardware capable of doing DPI efficiently without impacting performance greatly … Those type of Router systems are generally defined as Content Management Systems [CMS].
If that interest you then Vendors like DrayTek and their Vigor2962/3910 routers can do it nicely – for those type of devices the CMS portion usually has an licensing cost associated to the CMS modules as addons …
You could capture the IP Addresses that YouTube uses and then creates an YTBlock List that contains those IP’s then in Filter RAW create a block rule and that would be effective for as long as those IP are active … YouTube do change their IP’s from time to time so you have to stay on top of that to keep your block list current.
There are some creative ways of getting YouTube addresses from the following link:
https://stackoverflow.com/questions/9342782/is-there-a-way-to-get-all-ip-addresses-of-youtube-to-block-it-with-windows-firew
Yes,
the solution to this topic is still the post #2…
DPI (Deep Packet Inspection) is currently impossible to perform on standard encrypted payloads which is what almost all traffic is these days, thus you have just IP address and port number to play with. Also, there is no hardware that can crack today’s encryption algorithms and decrypt traffic in real-time. It’s worth noticing that the most current algorithms are also quantum-safe.
There are some very specific solutions targeted at enterprise that disconnect certificates with a “man-in-the-middle” encryption server, but since end-to-end encryption (“aka zero trust”) is more or less standard in modern software, MitM solutions will soon become outdated as well. Moreover, that solution is also extremely expensive and cumbersome to implement because it requires extensive changes on all clients.
Bottom line, there are no standard firewalls or/and CMSs that can perform DPI, dynamic application routing, firewall L7 filtering or whatever you want to call this for the reasons explained above.
Excellent clear and honest advice rextended. Much appreciated.
Also Normis… why! Concur, sometimes one needs to invoke something called parenting or business employee rules ( as in how to get fired ).
As for yahm…
https://media.tenor.com/DGlbJWqzeNEAAAAM/cant-handle-the-truth.gif
Regarding the OP and how to block Youtube, here are my two recommendations where both should be used together for best effect:
- Firstly and if it’s not for personal use I would subscribe to a service otherwise I’d use a tool like iplist-youtube to get the most current ip addresses for a blocklist. If you don’t want to host and run “iplist-youtube” yourself, the address lists are updates every 5 minutes and are available here
- Ipv4 list raw link => https://raw.githubusercontent.com/touhidurrr/iplist-youtube/main/ipv4_list.txt
- Ipv6 list raw link => https://raw.githubusercontent.com/touhidurrr/iplist-youtube/main/ipv6_list.txt
- Implement pi-hole or similar.
Many cruise ships and airlines block YouTube and similar streaming services by using specialized providers that offer these as commercial services
Since IPs used from youtube servers are not used only for youtube (no matter how fresh are the list),
you broke also other google service that broken other sites
(googleads, googleadservices, google-analytics, googlesyndication, googletagmanager, googletagservices, doubleclick, 1e101, etc.)
because often other sites that have nothig to do directly with google, use google services for dispaly contents and on this way are broken…
That’s the whole point of pi-hole … 
NO, still valid post #2:
Until you do not have full control of user device, you can not stop DoH & Co. with pihole (and neither the VPNs).
If someone want go to youtube, go to youtube.
Many cruise ships and airlines block YouTube and similar streaming services by using specialized providers that offer these as commercial services (ie ip and dns blocking). And yes, there might be shared streaming services for some suppliers. Forget DPI.
@Larsa
I happen to disagree with your opinion … I have a number of very successful inexpensive CMS systems in service made by Untangle that are very effective as MY Clients continue tell me … and recently I have seen the DrayTek models I referred to earlier that are doing well in this area reported by some of my Colleagues that have peeked my interest due to there performance metrics that are also relatively inexpensive when compared to the big boys CMS offerings …
They can certainly work to a limited extent using only IP addresses and port numbers, but there are no standard firewalls capable of running DPI on encrypted traffic. Any company with a reasonably updated understanding of security runs business-critical applications with encrypted communication, even for internal use.
Not absolutely correct. You can stop DoH/DoT, and VPNs as well, at least, many or most of them.
I.e. for WiFi in schools, this is an important feature.
You can not block DoH without DPI, in case the user is running his private DoH-server, or his private VPN-server.
some of them. Since you can not see inside 443 encrypted packets, you have no way to see if it just normal https traffic or any VPN going over port 443.
As rextended writes, you need full control of the client to make sure you now what are going on.
\
Use Splunk> to log/monitor your MikroTik Router(s). See link below. 
As always with technical problems: It is not about who is right. It is about what works.
In summary:
Youtube can be blocked to a certain extend for the average user by forwarding DNS to a commercial DNS service like Cloudflare, Umbrella etc. They have the abilities to track and adapt to the constant changes on youtubes’s CDS host entries and filter them out. You cannot block the youtube CDS IPs in general, as they run many other services beside youtube on the same IPs.
You can block DoHS/HTTPS VPN for the average user by blocking 443 to IPs of the well known public accessible VPN and DoHS servers.
This mostly limits access for the average school student or hotel guest.
But there is no way to block someone with the necessary skills to use HTTPS VPN and/or DoHS to connect to a server IP you do not know about.
Except enterprise HTTPS proxy solutions breaking up the SSH connection, doing DPI and reencrypting towards the internal client using a private root Cert installed as trusted on the internal clients.
Everyone claiming different is invited to provide working solutions instead of just presenting assertions on what they think works or does not.
Because again: It is not about who is right. It is about what works.
Applaus.
You did the “teaching”, I was too lazy for. Assuming, my hints would trigger some thinking.
BTW: SNI intercept can also help in blocking youtube etc.
TLS 1.3 encrypts SNI. So this method is gone now.
Actually, not enforced everywhere. Does youtube enforce it ?
This is the worst group. I have been working with network for high school student over many years, and they find away around everything. If one finds out all knows how to bypass blockage in just some seconds.
Use Splunk> to log/monitor your MikroTik Router(s). See link below.
Yes. In my case I wanted to slow down youtube traffic, so used mangle with tls-host googlevideo.com to mark packets for the queues. But specially for you I tried to do:
add action=reject chain=forward protocol=tcp reject-with=tcp-reset tls-host=*googlevideo.com*
and it also works well. Yes, youtube.com still opened, but no one video was loaded.