[ROS/Firewall] How to MANGLE by raw HEX bytes ? [SOLVED]

RouterOS General
1

The need is to block some DNS requests. For example, block all dns requests to
aaa.com
This can be done MANGLE/Mark package as (udp, port 53, content=aaa) then block all the packages with this mark.
However, this will block aaabbb.com also.

I tried set content=aaa.com and it does not work.

So I ran wireshark, and figured out that the DNS package was in fact
03 61 62 63 03 63 6f 6d
means
(len for abc) (hex for abc) (len for com) (hex for com)

So, if I want to block abc.com exactly I need to find some way to set the Content=HEX RAW BYTES

I have tried Content=\03 \61 … \6d
or Content=\03 \61 … \6d
or Content=0x03 0x61 … 0x6d

but none of them works.

Any idea for this ?

Thanks.

SOLVED: Thanks to everyone posting reply here. I finally make it work.

The KEY TRICK to this issue is that, DO NOT enter the content=“\03abc\03com” in the WINBOX Dialogs.

Instead, open a TERMINAL and run the command

/ip firewall mangle
add action=passthrough chain=prerouting content="cnn\03com" dst-port=53 in-interface=e1_int log=yes log-prefix="DNS catch: " \
    protocol=udp

Thanks to sebastia for pointing this out (From Terminal)

2

Maybe you can simply use address-list?

/ip firewall address-list
add address=www.aaabbb.com list=blocked
add address=www.aaa.com list=blocked
/ip firewall filter
add action=reject chain=forward dst-address-list=blocked reject-with=icmp-network-unreachable
3

Try this:
content=“\03abc\03com”

4

Thanks but this will not work. www.abc.com can be hundreds of IPs. Put www.abc.com in address list is only working with one particular IP.

5

Just tried, no working.

Steps:

set content=abc then run “nslookup abc.com” I can see the packages logged (I enabled the log)
set content=“\03abc\03com” and run again “nslookup abc.com” no logs appear.

So far I guess that ROS does not support HEX RAW bytes in content. But no documents to prove that so far.

6

For external DNS server:


/ip firewall layer7-protocol
add name=aaa.com regexp="\\x03aaa\\x03com"
/ip firewall filter
add place-before=0 action=reject chain=forward dst-port=53 layer7-protocol=aaa.com protocol=udp reject-with=icmp-network-unreachable

Will block aaa.com, www.aaa.com, subdomain.aaa.com, www.subdomain.aaa.com, but not aaaa.com.

If MT is DNS server (allow remote requests):


/ip dns static
# To block *.aaa.com
add address=127.0.0.1 regexp="\\.aaa\\.com\$"
# To block aaa.com
add address=127.0.0.1 name=aaa.com

Unfortunately MT cannot accept 0.0.0.0 (NXDOMAIN/null) as static entry address.

7

Working fine here (from terminal):

/ip firewall mangle
add action=passthrough chain=prerouting content="cnn\03com" dst-port=53 in-interface=e1_int log=yes log-prefix="DNS catch: " \
    protocol=udp

“ping cnn.com” generates:

18:42:31 firewall,info DNS catch: prerouting: in:e1_int out:(unknown 0), src-mac 44:8a:5b:88:87:e2, proto UDP, 192.168.1.12:58429->192.168.1.1:53, len 53

8

Does anyone knows how to drop DNS answers when the query was made with type 255 (hex FF) (type ANY) ?

I tried to match content=“\00\f\f” but this would not match the traffic.

9

If I remember right, the regexp matching in layer 7 rules ignores zero bytes. So \ff may match, but you have to combine it with other substrings to limit false positives.

10

When I try to use “content” into the rule, not creating a “layer7 specific rule” , I can’t add “\FF” (only “\f\f”), but, even while I’m seeing this traffic, its not matching the amount of traffic that has the query type as ANY (255 decimal).
So, I’m confused about this. When I open into wireshark the packet, the specific part about query type ANY (wireshark calls it *) , hex is 00 FF.
But I’m having trouble matching this.

11

For me (6.48.6), \FF (not \ff) works fine in both regexp and content.