Port 80/443 block, except few Microsoft dev sources

Kaminari · December 18, 2019, 8:19am

Hi, I have a little problem about blocking all flow at 80/443 ports.

Short scenario:
One user need to be blocked on 80/443 port but he need to have access to:

*. *. visualstudio.com
*.applicationinsights.microsoft.com
*.azure-devices.net
*. *. core.windows.net

First problem - Hostnames
Second problem - Some of this sources have dynamic IP Addresses
Third problem - Getting IP Address without full hostname names.

Any ideas how to do it on Mikrotik?

Thanks.

pe1chl · December 18, 2019, 9:31am

There is no really practical and easy to manage solution for that.
You cannot match connections at the network level to high-level hostnames like that, and furthermore you will find that the customer probably means they want to be able to visit websites within those domains, and when you visit a page it will again load objects from other domains.

Tell the user it cannot be done.

joegoldman · December 18, 2019, 10:00am

This is more a job for a content firewall but it may be possble with some L7 matching rules - they are taxing on the router CPU so depends how much traffic you have but should be possible with some management overhead.

pe1chl · December 18, 2019, 10:35am

It is no solution due to the “external content” problem I already mentioned.

E.g. the site “visualstudio.com” is on the list above, so it should be usable.
However, when you contact “visualstudio.com” you receive an immediate redirect to “visualstudio.microsoft.com”.
This domain is not on the list above so it should not be allowed.

Result: visualstudio.com is not usable. Problem not solved.

It is a problem that really can be solved only in the browser, because only the browser knows what a “site” is and what the exact URL is that is being visited, and what URLs are loaded to complete that.
And indeed, browser plugins (and features in e.g. Google Chrome Enterprise) exist to solve this problem.
Of course this assumes that “the user” is on a workstation managed by the company which the admin can configure with the allow list and where it is not possible to just install another browser that would not follow this regime.
And also, the redirect problem is likely not solved. So it still requires constant attention to adapt the allowed URL list when the website maintainer decides to move things around to different domain names.

Kaminari · December 18, 2019, 11:03am

And what about something different, maybe DNS?
I read about openDNS possibility to block all connections to hostnames except whitelist.
Can it be done on mikrotik? Then i can block possibility to change DNS on windows machine, or something.

pe1chl · December 18, 2019, 11:21am

Of course you can try that. Just take an OpenDNS subscription and set the DNS service.
But:

you will still have the responsibility to maintain the whitelist, and it will contain far more items than the client has requested (if only because of that redirect issue that I mentioned)
the websites will mysteriously fail when the whitelist is not correct, and you will be held responsible for that
it will stop working once the browsermakers have completed their effort to use DNS over HTTPS instead of plain DNS requests (unless you can set the DoH/DoT servers manually to the OpenDNS service)

Kaminari · December 18, 2019, 12:09pm

Okay, but can i do same thing on mikrotik DNS server? Without additional OPENDNS subscription. Put some whitelisted high-level hostnames and block or redirect other hostnames.

pe1chl · December 18, 2019, 2:15pm

No, the MikroTik DNS resolver cannot do that.

Kaminari · December 18, 2019, 2:35pm

Okay, thanks all for help. Topic closed.