Blocking the use of other DNS Servers than the one in RB

Centauri · October 9, 2010, 1:49pm

Hi

I have found a config to block the access for specific websites which work well.

ip firewall layer7-protocol add comment="" name=p2p_www regexp="^.*(get|GET).+\
(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|\
zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"

ip firewall layer7-protocol add comment="" name=p2p_dns regexp="^.+\
(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|\
zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"

ip firewall filter add action=drop chain=forward comment="block p2p_www" disabled=no \
layer7-protocol=p2p_www

ip firewall filter add action=drop chain=forward comment="block p2p_dns" disabled=no \
dst-port=53 layer7-protocol=p2p_dns protocol=udp

The RB in my setup acts as DHCP server and uses the RB as DHCP server local IP : 192.168.1.1

But since this DNS blockings done in the RB’s DNS this user still have the possibility to manual add a different DNS server e.g. a Open DNS server to the Computer and in that way work around the blocking.

So I was thinking if it would be possible somehow to block the local users from using other DNS servers than the RB itself.

And so that it is only the DB that has access to ask the 2 external DNS servers 89.184.128.250 and 89.184.128.193.

So that no local users can ask other DNS server that the one in the RB itself.

fewi · October 9, 2010, 1:54pm

While that is possible, the rules you posted directly inspect packets and have nothing to do with what DNS server a user is using. In fact, because they are in your example only running in the forward chain they specifically wouldn’t work if a user is using the router as a DNS server - packets from the client to the router are in the input chain and replies are in the output chain, packets from the router to another DNS server on the Internet are in the output chain and replies are in the input chain.

Centauri · October 9, 2010, 1:57pm

Okay Thanks

I just assumed that the blocking with those rules only were possible then using the RB as DNS server.

Must say that the strengths in the RB impress me more and more.

dssmiktik · October 9, 2010, 7:47pm

Specifically DNS related: To force a client to use your DNS server no matter what they configure on their computer, you could create a nat rule like this:

/ip firewall nat add protocol=udp dst-port=53 dst-address-type=!local action=redirect to-ports=53

Pilgrim · October 9, 2010, 8:51pm

@dssmiktik

Thanks, that rule could be very helpful for my setup. I am trying to understand how the rule and I just can’t get my head around it. It just seems to me that any packet UDP with dest. port 53 and an address outside the LAN is being redirected to dest. port 53 (it was already dest port 53). I am sure the rule works and I would just like to understand how this will force the client to use the DNS given by the RB.

Thanks,

Pilgrim

fewi · October 9, 2010, 9:03pm

‘redirect’ is a special kind of NAT that rewrites the destination IP address in the packet header to an IP address on the routers so that the packet gets redirected to the DNS process running on the router.

Centauri · October 12, 2010, 2:43pm

Hi dssmiktik

I have tried with your rule to only allow DNS from the clients to the Router itself
But I don’t seems to work, when I enter the command it asks for
chain: where I can shoes from dstnat and srcnat
And I will only accept it then I chose dstnat.

But the rule doesn’t seems to work.
Bacause on my laptop I have entered static DNS servers from OpenDNS for testing and it can still acces the internet and ping all new addresses.
And can in the Firewall /connection se that my Local IP is talking with the external IP op the DNS server on port 53.

It should be so hat it’s not possible to ask other DNS servers than the router itself on ip 192.168.1.1 so that only the router then can ash the external DNS servers.

Centauri · October 12, 2010, 3:06pm

My problem is that i even as i have the above rules to block for torrents and other stuff sometimes have those entries in my DNS list of the router.
With the above rules the access to utorrent should be blocked.
With my own machine I can’t ping or access the website or anything and nothings shows up in the DNS list when I try, but sometimes whose records show up in the Router DNS so I am afraid that some of the users somehow have found a way to bypass the restrictions.
Ore can someone explain how those records sometimes can show up ?

Caci99 · October 12, 2010, 5:59pm

The rule about redirecting DNS traffic works pretty well. You can test it by pinging to www.google.com for example,
once with the rule activated and the other time without it. In every case don’t forget to flush the dns cache of the PC.
From the test you should see different IP-s for the same dns name (of course when the dns name has more than one server)

As for your configuration, you should set the firewall filter rule in the input chain.
I tested it myself, without using the Layer-7 you posted, I tested it for the whole DNS traffic and it blocked it
only in the input chain and not in the forward chain.

About your post of the layer-7 rule capturing isohunt for example, in my test it didn’t captured it.
I am not that good in layer-7, so can not comment much more about it, but it may be not accurate.

Toni

dssmiktik · October 12, 2010, 6:03pm

One way to block those connections could be to use a static dns entry to resolve to a false IP. The dstnat rule I posted above still applies, you still would need that.
You could use regular expressions in static dns entries to redirect *.utorrent.com to IP: 127.0.0.1 for example. This would prevent that domain from resolving.

I posted about this here: http://forum.mikrotik.com/t/how-block-connection-of-p2p/18495/30

Centauri · October 12, 2010, 7:35pm

I actually have those entries too, forgot to mention that.

I have tried to analyse my network traffic and think i have found a possible way those entries come.

It seems like them comes when i eg. ping www.bittorrent.com
then i get the correct IP Back
Reply from 208.72.192.133: bytes=32 time=166ms TTL=52

I have some difficulty to understand the syntax to the static DNS entries.

couldn’t it be possible to create a entry that redirect torrent.* to 127.0.0.1 ?
That should block anything with the word torrent in the address.

I have tried with “.*(^|.)torrent\” but that don’t seems to be enough so there is my problem understanding the syntax.

dssmiktik · October 12, 2010, 8:51pm

To resolve any DNS name with ‘torrent’ in it’s name to say 127.0.0.1, you could do something like this:

/ip dns add address=127.0.0.1 comment="" disabled=no name=.*torrent

Basically, it uses regular expressions to match the DNS request.

Here’s the Wiki entry about DNS static records:
http://wiki.mikrotik.com/wiki/Manual:IP/DNS#Static_DNS_Entries

Regular expressions can seem confusing at first, but once you get the basics, it’s pretty powerful.

Centauri · October 13, 2010, 5:38pm

Thanks that solved the problem with the “Torrent” in the DNS.

Now I only need to get solved my last problem for force the users to use the RB as the DNS server so that they are now able to use any other DNS server like Open DNS ore things like that.

dssmiktik · October 13, 2010, 7:43pm

See my post above about dst-nat / redirect. I use it currently, and it seems to work well. I think this is what you want as well.

Edit: I realized I forgot to put the chain in there. Here is what the complete rule should look like:

/ip firewall nat add chain=dstnat protocol=udp dst-port=53 dst-address-type=!local action=redirect to-ports=53

Centauri · October 14, 2010, 2:51pm

Thats also the way i had created the rule, but i am still afraid its not working quite as it should.

When i test it by giving at computer a static address and set the DNS Server to eg. OpenDNS 208.67.222.222 and 208.67.220.220

Then when i monitor the Firewall Connections i can se my local IP connecting to the IP of the OpenDNS servers, on port 53 when i ping different web sites so must assume that the rule is not working.

And its possible for me to ping addresses that are blocked in my RB

/ip dns static
add address=127.0.0.1 comment="" disabled=no name=.*thepiratebay.org ttl=1d

But wouldend it be possible to make the rule so that its not possible from the intenal site LAN to connect to External DNS Servers via WAN so thats its only possible for the RB to ask the DNS server. In that way the users would be forced to use the RB as the DNS Server since direct connection to external DNS Servers are blocked.

dssmiktik · October 14, 2010, 6:44pm

Centauri:

And its possible for me to ping addresses that are blocked in my RB
/ip dns static
add address=127.0.0.1 comment="" disabled=no name=.*thepiratebay.org ttl=1d
But wouldend it be possible to make the rule so that its not possible from the intenal site LAN to connect to External DNS Servers via WAN so thats its only possible for the RB to ask the DNS server. In that way the users would be forced to use the RB as the DNS Server since direct connection to external DNS Servers are blocked.

Hmm… The rule I posted works for me. I’m not sure what could be the problem.

Is the dstnat rule at the top of the nat rules? Is it getting any bytes counted?
Just to re-state, this rule works for me:

/ip firewall nat add protocol=udp dst-port=53 dst-address-type=!local action=redirect to-ports=53

Also, what version are you using? If it’s v5.0beta or v5.0rc there may be a problem with firewall rules.

Hope this helps

Centauri · October 14, 2010, 7:52pm

Yes the traffic by the Nat Rule is counting so traffic is coming to it.

And have found out that it’s only counting bytes then I use other DNS Servers than the RB itself, so some part of the rule works.

I use a RB450G with Software Version 4.11

I am also having this config in the box
Equal bandwidth sharing among users
http://www.ahmedramze.com/lecture/mikrotik.pdf
But don’t thing that shot have any impact on the configuration about the DNS.

But a work around would be to Block LAN users from connecting to External DNS servers in that case they would be forced to us the RB as their DNS.
But are not sure how to do that since the users still should be able to access the DNS of the RB so that I not block that.

Caci99 · October 14, 2010, 8:38pm

Try to add the same rule for the TCP protocol, also try to remove from the rule:

… dst-address-type=!local … , it should be like

/ip firewall nat add protocol=udp dst-port=53 action=redirect to-ports=53 
/ip firewall nat add protocol=tcp dst-port=53 action=redirect to-ports=53

Just my guess

dssmiktik · October 15, 2010, 2:10am

The dst-address-type=!local should be in there. It basically does not capture traffic if it’s already destined for the router itself.

So if my router’s IP is 192.168.88.1, and the client uses that IP as the DNS server, you wouldn’t want the nat rule executed as it would get natted and consume unnecessary resources at every dns request. If the client uses an IP that is not local to the router, say 1.2.3.4, this rule gets executed so that the packet is redirected to the router itself. The router then makes a separate dns request to external dns servers (in this case opendns). Also, dns requests happen on udp, not tcp. tcp is mostly used for dns updates to dns server itself.

Centauri,
When you look at /ip firewall connection, you should see two dns connections, one coming from the client to the router. then another from the router to an it’s own configured dns server(s).

Caci99 · October 15, 2010, 8:06am

I stand corrected.