Since the introductions of domain names to address lists, performing filtering have been a lot easier. Recently a requirement came up and I needed to add several domain names manually to get what I was working on work but I still missed several more
On 6.41 - TLS host was introduced and allowed to add wildcard DNS
Can we see wildcard DNS soon on address lists also? It will be a very nice feature to have. Other firewall vendors have that already, and given that it is available inside a different Mikrotik facility, should be easy to have it on address list as well?
With TLS host, there’s hostname in packet (as part of SNI) belonging to connection, so when it arrives, it’s easy to match “something.example.net” against “*.example.net”.
Address list resolves given hostname to IP address, which is then used by firewall. It also watches TTL and resolves the hostname again, when it’s about to expire. It’s clearly impossible to make this approach work with wildcards, system would have to try to resolve all names that “*” can stand for, so it would be combinations of “a-z”, “0-9”, “_”, “-” for 1-63 characters. That’s a lot of combinations.
Trying to synchronously get hostname when when first packet for some address arrives is impossible too. Not only it would kill router’s performance, but there’s no clear 1:1 mapping from IP address to hostname.
Only way I can imagine it could work would be if DNS cache would check hostnames against the wildcard and would update address list, if it found some. But unlike TLS host, this would not be reliable, because there’s no guarantee that client used router as resolver.
Oh cmon… My 10 years old Asus RT-N16 with Shibby’s modified Tomato-based fimware can do this easily, but my new Mikrotik RB952Ui-5ac2nD CAN’T… This is sad
You first need to come up with a way how it could work, because it clearly can’t work the same way as non-wildcard hostnames work in address list now (see second post).
Only way I can imagine it could work would be if DNS cache would check hostnames against the wildcard and would update address list, if it found some. But unlike TLS host, this would not be reliable, because there’s no guarantee that client used router as resolver.
I think this is a nice idea by using DNS cache. maybe we can use dns cache to check, or catch dns reply traffic to address-list ?
I found the checkpoint firewall have a function call “DNS Passive Learning” at latest version R80.40
, it also request dns traffic pass through the firewall.
If Mikrotik resolves DNS requests it seems to be easy. One can restrict this feature to this usecase. Another solution would be intercept and deep inspect DNS requests on a Firewall level.
Both solutions are easy to hack around and therefore it won’t work for blacklisting. But it would be perfectly enough for Netflix/Amazon whitelisting for an Airbnb apartment.
