How to block Microsoft via static DNS entry

Xymox · September 1, 2015, 3:18pm

Because Microsoft has gone rouge and malicious I want to block the entire microsoft.com domain preventing updates and all contact with microsoft. YES I realize the downsides.

My method seemed simple, but it does not work. I guess I dont know how to use a wildcard via a static DNS entry.

so *.microsoft.com does not work.

EVERYBODY should DNS block like its a malware site. settings-win.data.microsoft.com http://www.theregister.co.uk/2015/09/01/microsoft_backports_data_slurp_to_windows_78_via_patches/

StubArea51 · September 1, 2015, 6:12pm

Sounds like you need Layer 7 firewall rules…below is a link for blocking Facebook, but it could be used as a template for just about any domain name.

https://rbgeek.wordpress.com/2012/05/29/how-to-block-facebook-in-mikrotik-using-l7-protocols-layer-7/

Xymox · September 1, 2015, 6:50pm

Hmmmm… Really ? I cant just *.microsoft.com > 127.0.0.1 ? It just sounds so easy.

Xymox · September 1, 2015, 6:57pm

So the wildcard only works when defining a DNS record ? I cant use it when matching records on a rDNS lookup ? No kidding ? Booooooo…

Feklar · September 1, 2015, 7:50pm

/ip dns static
add address=127.0.0.1 name=".*\\.microsoft\\..*"
add address=127.0.0.1 name="^microsoft\\..*"

You will need to force all DNS requests to go through your router for the local clients, or at least make sure their DNS settings are pointed only at you.

freemannnn · September 1, 2015, 8:07pm

Feklar:

/ip dns static
add address=127.0.0.1 name=".*\\.microsoft\\..*"
add address=127.0.0.1 name="^microsoft\\..*"
You will need to force all DNS requests to go through your router for the local clients, or at least make sure their DNS settings are pointed only at you.

tried to browse to microsoft and does not load.
also tried windows update from my windows 8.1 and error appear! nice for blocking windows updates for bandwidth saving in hotspots!

thanx

Xymox · September 1, 2015, 9:23pm

Wow… AWESOME !! Indeed this does work !.. I will play more and I will look up how that worked. NICE…

Thank you !

freemannnn · September 1, 2015, 9:27pm

can u explain the difference of the 2 entries?
=“.*\.
=”^

Xymox · September 1, 2015, 9:29pm

I gotta say, you guys are awesome. This forum is stocked full of very smart people who really know what they are doing.

Thats a awesome solution.

I love Mikrotik.

marting · September 2, 2015, 8:36am

The first one matches to *.microsoft.com for example www.microsoft.com, downloads.microsoft.com, server2.europe.microsoft.com and so on…
The second one matches only to microsoft.com without any subdomain.

Xymox · September 2, 2015, 12:02pm

The fun part for me was that I had no idea you could regex there. That really opens up possibilities. Yea, I never thought about looking in the wiki, duhhhhh. Its right there. http://wiki.mikrotik.com/wiki/Manual:IP/DNS#Static_DNS_Entries

How much of a performance hit is there doing this ? Obviously a CCR would be a big help here. The more cores the better

This is obviously less of a performance hit then using Layer 7 ? Obviously less secure as any machine on the other side could simply drop in their own DNS lookups to circumvent this trick. Anyone reading this should be aware of the downsides of this trick.

As the Wiki says “Regular expression matching is significantly slower than of the plain entries, so it is advised to minimize the number of regular expression rules and optimize the expressions themselves.”

I could see a heavily loaded single core router becoming suddenly unresponsive by just adding one regex in the DNS. So I would use this with caution.

Regex is itself a art form. Ive seen regex that I could have never thought of on my own. Long ones can be mind bending but far better performance.

freemannnn · September 2, 2015, 12:04pm

me too i didnt know that u can regex in ip-dns. nice!
time to play with “torrent” regex!

Xymox · September 2, 2015, 12:29pm

Handy tool.

https://regex101.com/

Hahaha… wow… Who comes up with these regex ?

((([A-Za-z]{3,9}:(?://)?)(?:[-;:&=+$,\w]+@)?[A-Za-z0-9.-]+|(?:www.|[-;:&=+$,\w]+@)[A-Za-z0-9.-]+)((?:/[+~%/.\w-]*)???(?:[-+=&;%@.\w])#?(?:[.!/\w]))?)

StubArea51 · September 2, 2015, 7:32pm

Glad you found a solution that worked Indeed MikroTik routers are full of possibilities.

Either way is valid for you to do this. I tend to prefer L7 firewall rules because invariably, you will need block or restrict traffic on more and more things and it can all be managed from one place.

The other reason I like the L7 FW rule is that it’s much harder for the savvy user to work around via statically setting a DNS server on the host that isn’t the router. While you can mitigate using hotspot or DNS based FW rules, the amount of complexity continues to increase and sometimes it isn’t worth it.

It all comes down to your use case and what works well for you. Happy MikroTikking

Squidblacklist · September 30, 2016, 6:48pm

I think you are both wrong,

In current ROS .\*.somewebsite.net is what works to block the top domain as well the subdomains.somewebsite.net. So the solution you claim to work, does not work, or at least, no longer works.

I know, I tested it in RoS v6.37 and no dice using your examples.

I thought It appropriate to post this for anybody else looking for the answer on how to block subdomains with static dns regex in mikrotik routeros.

Hopefully google will see fit to send them here.

pukkita · February 13, 2017, 9:06am

@Roxan1: Sorry, I mistakenly dissaproved your post.

Roxan1 · February 13, 2017, 11:53am

I have MT router.
It’s not connected to net.
The users just can see the hotspot page. If they type something else in URL it shows hotspot page.
In static dns I managed *.com and .org ---->hotspot page
what I am facing is that when something like this
msn.com/sport or totally ./
is typed error 404 page appears.
what should I in this case , that the users see the hotspot page not error page.