mangle specific site Traffic with TLS-Host

RouterOS General
1

hello guys
good time

I found this code on internet (for detect and mangle specific site)


/ip firewall mangle
add action=mark-routing chain=prerouting comment=Youtube dst-address-list=YouTube new-routing-mark=VPN passthrough=no
add action=mark-routing chain=prerouting comment=Facebook dst-address-list=FaceBook new-routing-mark=VPN passthrough=no
add action=add-dst-to-address-list address-list=YouTube address-list-timeout=1d chain=forward comment=Youtube dst-port=443 protocol=tcp tls-host=*youtube*
add action=add-dst-to-address-list address-list=YouTube address-list-timeout=1d chain=forward comment=Youtube dst-port=443 protocol=tcp tls-host=*ytimg*
add action=add-dst-to-address-list address-list=YouTube address-list-timeout=1d chain=forward comment=Youtube dst-port=443 protocol=tcp tls-host=*googlevideo*
add action=add-dst-to-address-list address-list=YouTube address-list-timeout=1d chain=forward comment=Youtube dst-port=443 protocol=tcp tls-host=*ggpht*
add action=add-dst-to-address-list address-list=FaceBook address-list-timeout=1d chain=forward comment=Facebook dst-port=443 protocol=tcp tls-host=*facebook*
add action=add-dst-to-address-list address-list=FaceBook address-list-timeout=1d chain=forward comment=Facebook dst-port=443 protocol=tcp tls-host=*fbcdn*

I have a question, I want to detect traffic www.cisco.com and www.msn.com, how find TLS-Host for that site ?

I should check SSL Site ? or?
where does I can see tls-host ?

can you help me ?

2

Full tls-host value is the same FQDN server name used in browser. E.g. if you’re visiting https://www.__cisco.com/c/en/us/solutions/design-zone.html , then tls-host will be www.__cisco.com. The big problem is that many popular pages include elements from multiple independent servers or even domains, you you have to analyze pages served by targeted server and see if you have to mangle some other domains.

In your configuration example wildcars are used (asterisk matches any string, so when writing “youtube”, it matches anything which includes youtube in any position, e.g. www.__youtube.com or cdn1234.youtube.my or something similar).

3

thanks a lot


yes !
you right !

for example when you are visitining youtube.com, that load ytimg and ggpht and googlevideo

for check and understand the 3rd party site that load by primary site, what should I do ?

for example use fiddler or ?

4

I never did the exercise myself, so your guess is probably better than mine :wink:

I just tried: in firefox I enabled Web Developer Tools (shortcut is [SHIFT]-[F5]), in WDT part I switched over to Network tab, then opened page I wanted to check (in particular I opened youtube.com but any other page would do). In the network tab it will show quite detailed analysis of parts it had to fetch before it could render whole page … one of columns says is named “Domain” … Looks good enough to me but YMMV.