family Cloudflare pornography block

ahmedramze · April 25, 2023, 12:11pm

Hello.

below setting for pornography block and adds also way to using the DOH Dns over HTTPs.

this for beginner how to ,

1- you need to use only Mikrotik DNS , and block all access to any DNS request if clients change them DNS.
the input interface its ether1 and local network 192.168.88.0/24 for this example.

Redirect all DNS to mikrotik.

/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether1 src-address=192.168.88.0/24
add action=redirect chain=dstnat dst-port=53 protocol=udp

blocking all incoming request for DNS attack if there is public IP on ether1 to avoid DDoS. also ping to public address only for IPs we allowed via Green list IP.

GREEN LIST IPS
if you want remove google DNS in case if you want to block access it

/ip firewall address-list
add address=8.8.8.0/24 list=GREEN
add address=1.1.1.0/24 list=GREEN
add address=192.168.88.0/24 list=GREEN

and this block filters

 
/ip firewall filter
add action=drop chain=input icmp-options=8:0-255 in-interface=ether1 protocol=icmp src-address-list=!GREEN
add action=drop chain=input dst-port=53 protocol=udp src-address-list=!GREEN
add action=drop chain=input dst-port=53 protocol=tcp src-address-list=!GREEN

now for test if step 2 not done and there is no IP DNS in Mikrotik ,
there is no page will open or sites DNS translation , its mean all firewall setup OK we can move to step 2

2-Setting the Cloudflare DNS

Cloudflare they have three DNS
1.1.1.1 for normal DNS without any blocking.
1.1.1.2 Block malware
1.1.1.3 Block malware and adult content

setting the Mikrotik DNS without DOH this for Block malware and adult content

/ip dns
set allow-remote-requests=yes  servers=1.1.1.3

setting the Mikrotik DNS with DOH this for Block malware and adult content

Same of. normal DNS Cloudflare they have three DOH

 https://cloudflare-dns.com/dns-query

for normal DNS without any blocking.

 https://security.cloudflare-dns.com/dns-query

Block malware

 https://family.cloudflare-dns.com/dns-query

Block malware and adult content

before add DOH we need to import DNS ROOT certification

/tool fetch url="https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem"
 /certificate import file-name=DigiCertGlobalRootCA.crt.pem
 then press enter for passphrase

now for normal DOH example

/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes

for Block malware and adult content

/ip dns set  servers=1.1.1.3 use-doh-server=https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes

Tested and work 100% but my issues how to block and DOH or DOT request from users they can by pass DNS blocking via use DNS. over HTTPS.