Possible error in DNS canonical name handling

RouterOS RouterOS beta
1

I’m using the DNS in my router (hAP ac^2 with RouterOS 7.1beta3).
I’m by default blocking all outgoing (as well incoming) traffic, I do allow it only by explicitly adding the address to an “allow” list.
This works fine, but today I experienced this funny problem: the address www.edn.com gets not blocked eventhough it’s not explicitly allowed to pass out or in.
A little research and testing shows that this address has a canonical name www.edn.com.edgekey.net in the DNS:

$ nslookup > www.edn.com
Server: 192.168.x.x
Address: 192.168.x.x#53

Non-authoritative answer:
www.edn.com > canonical name = > www.edn.com.edgekey.net> .
www.edn.com.edgekey.net > canonical name = e1899.a.akamaiedge.net.
Name: e1899.a.akamaiedge.net
Address: 104.81.79.46

So, does this indicate an error in RouterOS DNS ?

Thx

2

The CNAME is indeed the cause of this. Looking at Pi-hole it will block

www.edn.com.edgekey.net

if it is in a list used to block domains.

They use Whitelisting and that will match the domain you type and will ignore blocking and you will access that domain.

RouterOS DNS will resolve in one go, as it should do, to the last record and that is

www.edn.com.edgekey.net

IP address so blocking still on IP address is possible. This is normal and Pi-hole is bending/cheating to have an escape route.

3

Thanks, but why is it not blocking by default (since the default here is set explicitly to blocking)?

4

Address list uses resolved IP addresses (repeats resolving after DNS record TTL expires so it keeps IP address semi-uptodate) … since ultimate destination is some akamai cloud address, it could be same IP address is whitelisted for some other domain. If you want to block according to FQDN, you either have to use L7 firewall (very resource demanding and inefficient if connection is encrypted) or via DNS “fake records” (FQDN resolves to 127.0.0.1, can easily be bypassed e.g. by using DoH).

5

Is there in the RouerOS CLI a wildcard/regex format to find/list all addresses that contain the string “akamai” ?
Tried the following, but I think it’s not correct syntax, and I’m not uptodate with CLI nor script commands:

/ip/firewall/address-list
find where address="*akamai*"
find where comment="*akamai*"

Update/FIX: I meant “print”, not “find”, like this:

/ip/firewall/address-list
print where address="*akamai*"
print where comment="*akamai*"
6

use:

 [find where address~"akamai"]

If you have the correct IP address it should be blocked, however as stated by mkx the addresses may vary due to the usage of could by Akamai determined by geographical and/or load based answers.

My resolve:

:put [:resolve www.edn.com]
104.73.32.103

Resolve via a site: 92.123.55.56

My earlier answer was not correct in this.

7

@msatter, as you already stated, with such cloud servers the underlying IP to a domain varies depending on the region/country etc.
I’m getting this:

:put [:resolve www.edn.com]
2.23.78.15

The question now is how to find the record that contains this IP, as it usually is not exactly the same IP but one where the IP is a member of it (ie. a subnet IP covered by the subnet mask).

8

If your router also provide the DNS for the clients then you put a static entry in the router DNS.

When a client does not use your router DNS then are almost out of luck. You have then to collect all IP addresses Akamie use for this domain and block these in the address list.