Hello! It will be cool if you will implement wildcards for Firewall Address List. It’s easy to use with internal DNS server, easier than L7 processing. There already were such requests but they were for v6, so I hope for v7 we’ll finally see it.
Any example?
like put “*.google.it” and the routeros try to resolve (address to add ip on address-list)
all possible combination type qoiruq94763254789.google.it, 978w6b5v987265298c7.google.it, 9999999999999999999999999.google.it, etc.?
Use an external DNS server as a work-around (i.e. dns blackhole, instead of blocking the traffic on IP level.)
# The wildcard domain (*.google.com) and all subdomains will be resolved as 127.0.0.1 - dnsmasq.conf
address=/.google.com/127.0.0.1
Yes.
I use these lists for traffic forwarding, not blocking. So, this feature built into Mikrotik will be perfect. Even more, it’s already there, just no wildcard support yet.
What about a solution using an external server to expand e.g. the Google as-set (using e.g. bgpq3) into an ip-prefix lis. That could then be imported (push from server, or pull from RouterOS) as an address list into the firewall config context?
You usually don’t want to get all AS range. You may not know all ASes used by website. And it involves 3rd-party integration anyway. For home/small offices it’s overkill. I am pretty happy with what embedded DNS server and Firewall Address List offers, just want to be it more flexible.
It's a provocation, you do not notice that?
you think really routeros go test from
a.google.it
aa.google.it
aaa.google.it
aaaa.google.it
aaaaa.google.it
aaaaaa.google.it
aaaaaaa.google.it
aaaaaaaa.google.it
to
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.google.it
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.google.it
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.google.it
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.google.it
etc. for discover if dns exist and put the ip inside address list?
your point of view is completly wrong
again:
any example of what you want obtain at the end, with real-life example?
If done on a reactive basis with the dns server on the network being the routeros gateway. And done before the connection + dns reply is delivered to the client on the inside of the gateway router. It should (in theory!) be very feasible to implement.
Entries added to the FW address list can support a configurable timeout to avoid the address list just growing and growing without end.
You got it wrong. A device queries Mikrotik's DNS server -> address list filed. That's all. It's how it works now (?) — I don't know exactly how it is implemented now, but IP address appears at the list after requesting DNS, it's not pre-filed.
on OP you ask >>>wildcards for Firewall Address List<<<
not wildcards for DNS static entry, already existent
Again, you not understand.
Actually if I put www.google.it on firewall address-list it also add one or more dynamic IP with timeout equal as given reply DNS timeout.
If some wildcard are used, just one “dot” for example, routeros, for do what you want, must try all valid dns characters like:
1.google.it, 2.google.it … a.google.it, b.google.it … y.google.it, z.google.it
then with one single wildcard characters must do 40 DNS requests.
If added something like "" wildcard, routeros must try from
1.google.it
to
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.google.it
for do that, must do (243 positions with 40 possible values each position = 40^253 =) ~ 210^405 of DNS querys
Just 2*10^405 of DNS querys, for each wildcard DNS on address list..
Numbers of atoms on the universe are like 10^82…
very feasable, not?
Geez rextended, Pirelli needs you to fix their F1 tire issues!!
Your talents are wasted in the MT help forums 
I’m Italian but I prefer Bridgestone :((
My opinion is Pirelli is really shitty, Bridgestone must go back :((
e te lo dice un Italiano, stavolta non offendi :((
A firewall product I use can supposedly use wildcards in its ruleset by reading DNS queries that pass it and populate those wildcard entries with the info it captured from those DNS responses.
And what?
the OP is about wildcard on firewall access-list, not already existent wildcard on DNS...