Hello, I’m new in MT devices. I try to block domains with .io. Could you help me with block .io domains? I blocked one domain by adding ip to firewall and set action to reject. This blocked domain is not blocked in 100%, it’s loading very slow and only html. But some of traffic is rejected. Can u help me with strong block websites?
Maybe it will be helpful?
https://mikrotikconfig.com/firewall/
I don’t tried it yet 
Okay, but .io domain is administered by the Internet Computer Bureau, so I need to exclude UK?
Blocking such a wide target is almost always going to cause problems. And serve no purpose.
You should also know that a router operates at the “IP address” level, not at the “domain” level.
So all methods to block such things are problematic at best.
Okay, but I just need games hosting on io domains. Nobody uses io domains for anything other than games. When i had a small Asus router, I could do that. Simply add .io to firewall and it was all what i need to do. It’s possible to do it on MT?
Nobody uses io domains for anything other than games.
That is 100% not true 
There are tons of nice projects hosted on .io domains. Javascript frameworks, hacking communities and many nice things unrelated to games.
You can add a regexp dns entry to redirect all .io domains to localhost (or any invalid ip address as you like):
/ip dns static
add address=127.0.0.1 regexp=".*\\.io\$"
add address=::1 regexp=".*\\.io\$"
Edit: add ::1 for IPv6 enabled routers
Nobody in network where this MT is Only sister of my gf want to play .io. Her father told me to block this, thats all
@nescafe2002
Thanks you, I will try this later.
This will block DNS requests to .io, both on output chain (from router, if router is serving DNS requests) and forward chain (in case user changes his DNS server to something else or router is not serving DNS requests). Block is done using reject so that resolver does not have to keep waiting for timeout, as it would be the case with drop.
/ip firewall layer7-protocol
add comment=name=\
dns_io regexp="^.\?.\?.\?.\?[\\x01\\x02].\?.\?.\?.\?.\?.\?[\\x01-\?][a-z0\
-9_][\\x01-\?a-z_]*[\\x02-\\x06](io)[\\x01-\\x10\\x1c][\\x\
01\\x03\\x04\\xFF]"
/ip firewall filter
add action=reject chain=output \
dst-port=53 layer7-protocol=dns_io protocol=udp reject-with=\
icmp-admin-prohibited
add action=reject chain=forward \
dst-port=53 layer7-protocol=dns_io protocol=udp reject-with=\
icmp-admin-prohibited
To make this works even better, make a rule that redirect all DNS to your server, so it will not help if user changes their DNS.
Add this:
/ip firewall nat add chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53
At least tell the people in that family that they should not be surprised when other websites suddenly do not work anymore due to your solution. And that they can contact you again to solve it.
Remember when you visit a website like forum.mikrotik.com you enter that URL in the top bar but the website itself can use many other components from other sites that you do not see. There can be .io domain names in there, and you will block them, so the site misses part of its components.
But of course it was the same on your Asus router. Doing such blocks looks nice at first sight but it will cause problems, and you have to be lucky to not notice them.
@eider, agreed that rejecting is better than redirecting to localhost. It would be better if MT allowed 0.0.0.0 as static dns entry (both fulfilling the dns request so the resolver wouldn’t check secondary dns and eliminating timeouts).
However, your script is syntactically incorrect and results in a full reject on both chains due to missing line continuation marks. Please review or remove to prevent other user’s from simply copying and pasting malfunctioning code.
Fixed. Thanks.
Additionally I do agree with others in here, that blocking all .io is dangerous. Personally I use this solution to prevent remote DNS servers from receiving requests to internal tlds.
I know that, its only temporary solutions, for 1-2 days. It’s a Jail for younger kid 