Hi Everyone,
Can we add a script that is triggered whenever an entry is added or deleted to the DNS Cache?
The function of the script is to fetch the IP address added / or removed in the DNS cache table. The generated address-list by the script will be used in the firewall filter function.
The main purpose of this is to make sure that only IP address listed in the DNS cache will be granted access to the internet, while the rest of the traffic will be blocked. This is to prevent malware or viruses that use direct IP address that doesn’t use domain names. Viruses or malware that try to use domain names will not resolve any IP address or will be given an incorrect IP. This also prevents clients from using their own DNS which bypasses the local DNS. We want to have full control of all the domains served to the network.
The DNS trigger script should expose the following variables such as TTL, DATA, and Type. The purpose is to easily parse the information needed to build the firewall address-list entry. The TTL for example, will be used to provide the address-list TIMEOUT parameter.
Using a script to regularly check the DNS cache entries is not a good idea. Adding this entry to the address-list should be performed in real time. Any delays in fetching the record results to site query timeout.
In this approach, we assume the DNS server maintains a list of trusted domains. Whatever IP it provides will also be trusted by the router. also, Mikrotik supports DoH (DNS over HTTPS). We can use the DNS to Point to a server that performs a DNS firewall or manages a list of secured sites.
Another suggestion is to add a checkbox function in MENU > IP > Settings > “Trust only DNS entry”. Wherein this features only allows traffic that is resolved in the DNS A/AAAA RECORD.
I hope Mikrotik will add this feature.
Sincerely,
TCC