I tried setting the TLS Host in a firewall rule to drop packets to download.windowsupdate.com and then in my computer I did this: curl https://download.windowsupdate.com and it worked. In other worlds, the TLS Host setting didn’t work. What’s the fix?
Any help?
TLS 1.3 encrypt also that filed…
TLS Host matcher doesn’t work with TLS1.3+.
One of the best solutions so far is to force everyone on the network to use a dns resolver you control and block the dns request for this domain.
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=!<dns-server> dst-port=53 \
protocol=udp to-addresses=<dns-server> to-ports=53
add action=dst-nat chain=dstnat dst-address=!<dns-server> dst-port=53 \
protocol=tcp to-addresses=<dns-server> to-ports=53
Then either create a static dns entry for download.windowsupdate.com pointing to 127.0.0.1 or use the layer7 filter to identify and drop the request.
/ip dns static
add name=download.windowsupdate.com address=127.0.0.1
OR
/ip firewall layer7-protocol
add name=windows-updates regexp=download.windowsupdate.com
/ip firewall filter
add action=drop chain=input dst-port=53 layer7-protocol=windows-updates protocol=udp
add action=drop chain=input dst-port=53 layer7-protocol=windows-updates protocol=tcp
Put them above your allow rules, make sure local dns cache is cleared on the hosts before testing.
I’m actually trying to make it so all Windows Update traffic gets redirected to a VPN because the device I’m doing this on is a hotspot and I don’t want the cellular ISPs to see any Windows stuff. I also made an address-list with a bunch of Windows Update domains but I’m going to do the L7 regex as well.
Block directly windows update & telemetry
How am I supposed to add that into an address-list?
You always want easy things… 
Thanks to crazy-max:
https://github.com/crazy-max/WindowsSpyBlocker
Windows Update
/ip fire add
add list=windows_update address=13.68.87.47
add list=windows_update address=13.68.87.175
add list=windows_update address=13.68.88.129
add list=windows_update address=13.68.93.109
add list=windows_update address=13.74.179.117
add list=windows_update address=13.78.168.230
add list=windows_update address=13.78.177.144
add list=windows_update address=13.78.179.199
add list=windows_update address=13.78.180.50
add list=windows_update address=13.78.180.90
add list=windows_update address=13.78.184.44
add list=windows_update address=13.78.184.186
add list=windows_update address=13.78.186.254
add list=windows_update address=13.78.187.58
add list=windows_update address=13.78.230.134
add list=windows_update address=13.83.148.218
add list=windows_update address=13.83.148.235
add list=windows_update address=13.83.149.5
add list=windows_update address=13.83.149.67
add list=windows_update address=13.83.151.160
add list=windows_update address=13.86.124.174
add list=windows_update address=13.86.124.184
add list=windows_update address=13.86.124.191
add list=windows_update address=13.91.16.64
add list=windows_update address=13.91.16.65
add list=windows_update address=13.91.16.66
add list=windows_update address=13.92.211.120
add list=windows_update address=13.107.4.50
add list=windows_update address=13.107.4.52
add list=windows_update address=13.107.4.254
add list=windows_update address=20.36.218.63
add list=windows_update address=20.36.218.70
add list=windows_update address=20.36.222.39
add list=windows_update address=20.36.252.130
add list=windows_update address=20.41.41.23
add list=windows_update address=20.42.24.29
add list=windows_update address=20.42.24.50
add list=windows_update address=20.44.77.24
add list=windows_update address=20.44.77.45
add list=windows_update address=20.44.77.49
add list=windows_update address=20.44.77.219
add list=windows_update address=20.45.4.77
add list=windows_update address=20.45.4.178
add list=windows_update address=20.54.24.69
add list=windows_update address=20.54.24.79
add list=windows_update address=20.54.24.148
add list=windows_update address=20.54.24.169
add list=windows_update address=20.54.24.231
add list=windows_update address=20.54.24.246
add list=windows_update address=20.54.25.4
add list=windows_update address=20.54.25.16
add list=windows_update address=20.54.89.15
add list=windows_update address=20.54.89.106
add list=windows_update address=20.62.190.184
add list=windows_update address=20.62.190.185
add list=windows_update address=20.62.190.186
add list=windows_update address=20.185.109.208
add list=windows_update address=20.186.48.46
add list=windows_update address=20.188.74.161
add list=windows_update address=20.188.78.184
add list=windows_update address=20.188.78.185
add list=windows_update address=20.188.78.187
add list=windows_update address=20.188.78.188
add list=windows_update address=20.188.78.189
add list=windows_update address=20.190.3.175
add list=windows_update address=20.190.9.86
add list=windows_update address=20.191.46.109
add list=windows_update address=20.191.46.211
add list=windows_update address=23.103.189.125
add list=windows_update address=23.103.189.126
add list=windows_update address=23.103.189.157
add list=windows_update address=23.103.189.158
add list=windows_update address=40.67.248.104
add list=windows_update address=40.67.251.132
add list=windows_update address=40.67.251.134
add list=windows_update address=40.67.252.175
add list=windows_update address=40.67.252.206
add list=windows_update address=40.67.253.249
add list=windows_update address=40.67.254.36
add list=windows_update address=40.67.254.97
add list=windows_update address=40.67.255.199
add list=windows_update address=40.69.216.73
add list=windows_update address=40.69.216.129
add list=windows_update address=40.69.216.251
add list=windows_update address=40.69.218.62
add list=windows_update address=40.69.219.197
add list=windows_update address=40.69.220.46
add list=windows_update address=40.69.221.239
add list=windows_update address=40.69.222.109
add list=windows_update address=40.69.223.39
add list=windows_update address=40.69.223.198
add list=windows_update address=40.70.224.144
add list=windows_update address=40.70.224.145
add list=windows_update address=40.70.224.147
add list=windows_update address=40.70.224.148
add list=windows_update address=40.70.224.149
add list=windows_update address=40.70.229.150
add list=windows_update address=40.77.18.167
add list=windows_update address=40.77.224.8
add list=windows_update address=40.77.224.11
add list=windows_update address=40.77.224.145
add list=windows_update address=40.77.224.254
add list=windows_update address=40.77.226.13
add list=windows_update address=40.77.226.181
add list=windows_update address=40.77.226.246
add list=windows_update address=40.77.226.247
add list=windows_update address=40.77.226.248
add list=windows_update address=40.77.226.249
add list=windows_update address=40.77.226.250
add list=windows_update address=40.77.229.8
add list=windows_update address=40.77.229.9
add list=windows_update address=40.77.229.12
add list=windows_update address=40.77.229.13
add list=windows_update address=40.77.229.16
add list=windows_update address=40.77.229.21
add list=windows_update address=40.77.229.22
add list=windows_update address=40.77.229.24
add list=windows_update address=40.77.229.26
add list=windows_update address=40.77.229.27
add list=windows_update address=40.77.229.29
add list=windows_update address=40.77.229.30
add list=windows_update address=40.77.229.32
add list=windows_update address=40.77.229.35
add list=windows_update address=40.77.229.38
add list=windows_update address=40.77.229.44
add list=windows_update address=40.77.229.45
add list=windows_update address=40.77.229.50
add list=windows_update address=40.77.229.53
add list=windows_update address=40.77.229.62
add list=windows_update address=40.77.229.65
add list=windows_update address=40.77.229.67
add list=windows_update address=40.77.229.69
add list=windows_update address=40.77.229.70
add list=windows_update address=40.77.229.71
add list=windows_update address=40.77.229.74
add list=windows_update address=40.77.229.76
add list=windows_update address=40.77.229.80
add list=windows_update address=40.77.229.81
add list=windows_update address=40.77.229.82
add list=windows_update address=40.77.229.88
add list=windows_update address=40.77.229.118
add list=windows_update address=40.77.229.123
add list=windows_update address=40.77.229.128
add list=windows_update address=40.77.229.133
add list=windows_update address=40.77.229.141
add list=windows_update address=40.77.229.199
add list=windows_update address=40.79.65.78
add list=windows_update address=40.79.65.123
add list=windows_update address=40.79.65.235
add list=windows_update address=40.79.65.237
add list=windows_update address=40.79.66.194
add list=windows_update address=40.79.66.209
add list=windows_update address=40.79.67.176
add list=windows_update address=40.79.70.158
add list=windows_update address=40.91.73.169
add list=windows_update address=40.91.73.219
add list=windows_update address=40.91.75.5
add list=windows_update address=40.91.80.89
add list=windows_update address=40.91.91.94
add list=windows_update address=40.91.120.196
add list=windows_update address=40.91.122.44
add list=windows_update address=40.125.122.151
add list=windows_update address=40.125.122.176
add list=windows_update address=51.103.5.159
add list=windows_update address=51.103.5.186
add list=windows_update address=51.104.162.50
add list=windows_update address=51.104.162.168
add list=windows_update address=51.104.164.114
add list=windows_update address=51.104.167.48
add list=windows_update address=51.104.167.186
add list=windows_update address=51.104.167.245
add list=windows_update address=51.104.167.255
add list=windows_update address=51.105.249.223
add list=windows_update address=51.105.249.228
add list=windows_update address=51.105.249.239
add list=windows_update address=52.142.21.136
add list=windows_update address=52.137.102.105
add list=windows_update address=52.137.103.96
add list=windows_update address=52.137.103.130
add list=windows_update address=52.137.110.235
add list=windows_update address=52.142.21.137
add list=windows_update address=52.142.21.140
add list=windows_update address=52.142.21.141
add list=windows_update address=52.143.80.209
add list=windows_update address=52.143.81.222
add list=windows_update address=52.143.84.45
add list=windows_update address=52.143.86.214
add list=windows_update address=52.143.87.28
add list=windows_update address=52.147.176.8
add list=windows_update address=52.148.148.114
add list=windows_update address=52.152.108.96
add list=windows_update address=52.152.110.14
add list=windows_update address=52.155.95.90
add list=windows_update address=52.155.115.56
add list=windows_update address=52.155.169.137
add list=windows_update address=52.155.183.99
add list=windows_update address=52.155.217.156
add list=windows_update address=52.155.223.194
add list=windows_update address=52.156.144.83
add list=windows_update address=52.158.114.119
add list=windows_update address=52.158.122.14
add list=windows_update address=52.161.15.246
add list=windows_update address=52.164.221.179
add list=windows_update address=52.164.226.245
add list=windows_update address=52.167.222.82
add list=windows_update address=52.167.222.147
add list=windows_update address=52.167.223.135
add list=windows_update address=52.169.82.131
add list=windows_update address=52.169.83.3
add list=windows_update address=52.169.87.42
add list=windows_update address=52.169.123.48
add list=windows_update address=52.175.23.79
add list=windows_update address=52.177.164.251
add list=windows_update address=52.177.247.15
add list=windows_update address=52.178.192.146
add list=windows_update address=52.179.216.235
add list=windows_update address=52.179.219.14
add list=windows_update address=52.183.47.176
add list=windows_update address=52.183.118.171
add list=windows_update address=52.184.152.136
add list=windows_update address=52.184.155.206
add list=windows_update address=52.184.212.181
add list=windows_update address=52.184.213.21
add list=windows_update address=52.184.213.187
add list=windows_update address=52.184.214.53
add list=windows_update address=52.184.214.123
add list=windows_update address=52.184.214.139
add list=windows_update address=52.184.216.174
add list=windows_update address=52.184.216.226
add list=windows_update address=52.184.216.246
add list=windows_update address=52.184.217.20
add list=windows_update address=52.184.217.37
add list=windows_update address=52.184.217.56
add list=windows_update address=52.187.60.107
add list=windows_update address=52.188.72.233
add list=windows_update address=52.226.130.114
add list=windows_update address=52.229.170.171
add list=windows_update address=52.229.170.224
add list=windows_update address=52.229.171.86
add list=windows_update address=52.229.171.202
add list=windows_update address=52.229.172.155
add list=windows_update address=52.229.174.29
add list=windows_update address=52.229.174.172
add list=windows_update address=52.229.174.233
add list=windows_update address=52.229.175.79
add list=windows_update address=52.230.216.17
add list=windows_update address=52.230.216.157
add list=windows_update address=52.230.220.159
add list=windows_update address=52.230.223.92
add list=windows_update address=52.230.223.167
add list=windows_update address=52.232.225.93
add list=windows_update address=52.238.248.1
add list=windows_update address=52.238.248.2
add list=windows_update address=52.238.248.3
add list=windows_update address=52.242.97.97
add list=windows_update address=52.242.101.226
add list=windows_update address=52.242.231.32
add list=windows_update address=52.242.231.33
add list=windows_update address=52.242.231.35
add list=windows_update address=52.242.231.36
add list=windows_update address=52.242.231.37
add list=windows_update address=52.243.153.146
add list=windows_update address=52.248.96.36
add list=windows_update address=52.249.24.101
add list=windows_update address=52.249.58.51
add list=windows_update address=52.250.46.232
add list=windows_update address=52.250.46.237
add list=windows_update address=52.250.46.238
add list=windows_update address=52.250.195.200
add list=windows_update address=52.250.195.204
add list=windows_update address=52.250.195.206
add list=windows_update address=52.250.195.207
add list=windows_update address=52.253.130.84
add list=windows_update address=52.254.106.61
add list=windows_update address=64.4.27.50
add list=windows_update address=65.52.108.29
add list=windows_update address=65.52.108.33
add list=windows_update address=65.52.108.59
add list=windows_update address=65.52.108.90
add list=windows_update address=65.52.108.92
add list=windows_update address=65.52.108.153
add list=windows_update address=65.52.108.154
add list=windows_update address=65.52.108.185
add list=windows_update address=65.55.242.254
add list=windows_update address=66.119.144.157
add list=windows_update address=66.119.144.158
add list=windows_update address=66.119.144.189
add list=windows_update address=66.119.144.190
add list=windows_update address=67.26.27.254
add list=windows_update address=104.45.177.233
add list=windows_update address=111.221.29.40
add list=windows_update address=134.170.51.187
add list=windows_update address=134.170.51.188
add list=windows_update address=134.170.51.190
add list=windows_update address=134.170.51.246
add list=windows_update address=134.170.51.247
add list=windows_update address=134.170.51.248
add list=windows_update address=134.170.53.29
add list=windows_update address=134.170.53.30
add list=windows_update address=134.170.115.55
add list=windows_update address=134.170.115.56
add list=windows_update address=134.170.115.60
add list=windows_update address=134.170.115.62
add list=windows_update address=134.170.165.248
add list=windows_update address=134.170.165.249
add list=windows_update address=134.170.165.251
add list=windows_update address=134.170.165.253
add list=windows_update address=137.135.62.92
add list=windows_update address=157.55.133.204
add list=windows_update address=157.55.240.89
add list=windows_update address=157.55.240.126
add list=windows_update address=157.55.240.220
add list=windows_update address=157.56.77.138
add list=windows_update address=157.56.77.139
add list=windows_update address=157.56.77.140
add list=windows_update address=157.56.77.141
add list=windows_update address=157.56.77.148
add list=windows_update address=157.56.77.149
add list=windows_update address=157.56.96.54
add list=windows_update address=157.56.96.58
add list=windows_update address=157.56.96.123
add list=windows_update address=157.56.96.157
add list=windows_update address=191.232.80.53
add list=windows_update address=191.232.80.58
add list=windows_update address=191.232.80.60
add list=windows_update address=191.232.80.62
add list=windows_update address=191.232.139.2
add list=windows_update address=191.232.139.182
add list=windows_update address=191.232.139.253
add list=windows_update address=191.232.139.254
add list=windows_update address=191.234.72.183
add list=windows_update address=191.234.72.186
add list=windows_update address=191.234.72.188
add list=windows_update address=191.234.72.190
add list=windows_update address=207.46.114.58
add list=windows_update address=207.46.114.61
Telemetry
/ip fire add
add list=windows_telemetry address=13.64.90.137
add list=windows_telemetry address=13.68.31.193
add list=windows_telemetry address=13.69.131.175
add list=windows_telemetry address=13.66.56.243
add list=windows_telemetry address=13.68.82.8
add list=windows_telemetry address=13.68.92.143
add list=windows_telemetry address=13.73.26.107
add list=windows_telemetry address=13.74.169.109
add list=windows_telemetry address=13.78.130.220
add list=windows_telemetry address=13.78.232.226
add list=windows_telemetry address=13.78.233.133
add list=windows_telemetry address=13.88.21.125
add list=windows_telemetry address=13.92.194.212
add list=windows_telemetry address=13.104.215.69
add list=windows_telemetry address=20.44.86.43
add list=windows_telemetry address=20.49.150.241
add list=windows_telemetry address=20.54.110.119
add list=windows_telemetry address=20.60.20.4
add list=windows_telemetry address=20.189.74.153
add list=windows_telemetry address=23.99.49.121
add list=windows_telemetry address=23.102.4.253
add list=windows_telemetry address=23.102.5.5
add list=windows_telemetry address=23.102.21.4
add list=windows_telemetry address=23.103.182.126
add list=windows_telemetry address=40.68.222.212
add list=windows_telemetry address=40.69.153.67
add list=windows_telemetry address=40.70.184.83
add list=windows_telemetry address=40.70.220.248
add list=windows_telemetry address=40.70.221.249
add list=windows_telemetry address=40.77.228.47
add list=windows_telemetry address=40.77.228.87
add list=windows_telemetry address=40.77.228.92
add list=windows_telemetry address=40.77.232.101
add list=windows_telemetry address=40.78.128.150
add list=windows_telemetry address=40.79.85.125
add list=windows_telemetry address=40.88.32.150
add list=windows_telemetry address=40.90.221.9
add list=windows_telemetry address=40.112.209.200
add list=windows_telemetry address=40.115.3.210
add list=windows_telemetry address=40.115.119.185
add list=windows_telemetry address=40.119.211.203
add list=windows_telemetry address=40.119.249.228
add list=windows_telemetry address=40.124.34.70
add list=windows_telemetry address=40.127.240.158
add list=windows_telemetry address=51.104.136.2
add list=windows_telemetry address=51.124.78.146
add list=windows_telemetry address=51.140.40.236
add list=windows_telemetry address=51.140.157.153
add list=windows_telemetry address=51.143.53.152
add list=windows_telemetry address=51.143.111.7
add list=windows_telemetry address=51.143.111.81
add list=windows_telemetry address=51.144.227.73
add list=windows_telemetry address=52.147.198.201
add list=windows_telemetry address=52.138.204.217
add list=windows_telemetry address=52.138.216.83
add list=windows_telemetry address=52.155.94.78
add list=windows_telemetry address=52.155.172.105
add list=windows_telemetry address=52.157.234.37
add list=windows_telemetry address=52.158.208.111
add list=windows_telemetry address=52.164.241.205
add list=windows_telemetry address=52.169.189.83
add list=windows_telemetry address=52.170.83.19
add list=windows_telemetry address=52.174.22.246
add list=windows_telemetry address=52.178.147.240
add list=windows_telemetry address=52.178.151.212
add list=windows_telemetry address=52.178.178.16
add list=windows_telemetry address=52.178.223.23
add list=windows_telemetry address=52.183.114.173
add list=windows_telemetry address=52.184.221.185
add list=windows_telemetry address=52.229.39.152
add list=windows_telemetry address=52.230.85.180
add list=windows_telemetry address=52.230.222.68
add list=windows_telemetry address=52.236.42.239
add list=windows_telemetry address=52.236.43.202
add list=windows_telemetry address=52.255.188.83
add list=windows_telemetry address=65.52.100.7
add list=windows_telemetry address=65.52.100.9
add list=windows_telemetry address=65.52.100.11
add list=windows_telemetry address=65.52.100.91
add list=windows_telemetry address=65.52.100.92
add list=windows_telemetry address=65.52.100.93
add list=windows_telemetry address=65.52.100.94
add list=windows_telemetry address=65.52.161.64
add list=windows_telemetry address=65.55.29.238
add list=windows_telemetry address=65.55.44.51
add list=windows_telemetry address=65.55.44.54
add list=windows_telemetry address=65.55.44.108
add list=windows_telemetry address=65.55.44.109
add list=windows_telemetry address=65.55.83.120
add list=windows_telemetry address=65.55.113.11
add list=windows_telemetry address=65.55.113.12
add list=windows_telemetry address=65.55.113.13
add list=windows_telemetry address=65.55.176.90
add list=windows_telemetry address=65.55.252.43
add list=windows_telemetry address=65.55.252.63
add list=windows_telemetry address=65.55.252.70
add list=windows_telemetry address=65.55.252.71
add list=windows_telemetry address=65.55.252.72
add list=windows_telemetry address=65.55.252.93
add list=windows_telemetry address=65.55.252.190
add list=windows_telemetry address=65.55.252.202
add list=windows_telemetry address=66.119.147.131
add list=windows_telemetry address=104.41.207.73
add list=windows_telemetry address=104.42.151.234
add list=windows_telemetry address=104.43.137.66
add list=windows_telemetry address=104.43.139.21
add list=windows_telemetry address=104.43.139.144
add list=windows_telemetry address=104.43.140.223
add list=windows_telemetry address=104.43.193.48
add list=windows_telemetry address=104.43.228.53
add list=windows_telemetry address=104.43.228.202
add list=windows_telemetry address=104.43.237.169
add list=windows_telemetry address=104.45.11.195
add list=windows_telemetry address=104.45.214.112
add list=windows_telemetry address=104.46.1.211
add list=windows_telemetry address=104.46.38.64
add list=windows_telemetry address=104.210.4.77
add list=windows_telemetry address=104.210.40.87
add list=windows_telemetry address=104.210.212.243
add list=windows_telemetry address=104.214.35.244
add list=windows_telemetry address=104.214.78.152
add list=windows_telemetry address=131.253.6.87
add list=windows_telemetry address=131.253.6.103
add list=windows_telemetry address=131.253.34.230
add list=windows_telemetry address=131.253.34.234
add list=windows_telemetry address=131.253.34.237
add list=windows_telemetry address=131.253.34.243
add list=windows_telemetry address=131.253.34.246
add list=windows_telemetry address=131.253.34.247
add list=windows_telemetry address=131.253.34.249
add list=windows_telemetry address=131.253.34.252
add list=windows_telemetry address=131.253.34.255
add list=windows_telemetry address=131.253.40.37
add list=windows_telemetry address=134.170.30.202
add list=windows_telemetry address=134.170.30.203
add list=windows_telemetry address=134.170.30.204
add list=windows_telemetry address=134.170.30.221
add list=windows_telemetry address=134.170.52.151
add list=windows_telemetry address=134.170.235.16
add list=windows_telemetry address=157.56.74.250
add list=windows_telemetry address=157.56.91.77
add list=windows_telemetry address=157.56.106.184
add list=windows_telemetry address=157.56.106.185
add list=windows_telemetry address=157.56.106.189
add list=windows_telemetry address=157.56.113.217
add list=windows_telemetry address=157.56.121.89
add list=windows_telemetry address=157.56.124.87
add list=windows_telemetry address=157.56.149.250
add list=windows_telemetry address=157.56.194.72
add list=windows_telemetry address=157.56.194.73
add list=windows_telemetry address=157.56.194.74
add list=windows_telemetry address=168.61.24.141
add list=windows_telemetry address=168.61.146.25
add list=windows_telemetry address=168.61.149.17
add list=windows_telemetry address=168.61.161.212
add list=windows_telemetry address=168.61.172.71
add list=windows_telemetry address=168.62.187.13
add list=windows_telemetry address=168.63.100.61
add list=windows_telemetry address=168.63.108.233
add list=windows_telemetry address=191.236.155.80
add list=windows_telemetry address=191.237.218.239
add list=windows_telemetry address=191.239.50.18
add list=windows_telemetry address=191.239.50.77
add list=windows_telemetry address=191.239.52.100
add list=windows_telemetry address=191.239.54.52
add list=windows_telemetry address=207.68.166.254
And what I have wrote?
Your solution is useless because on close future DoH and DoT are used…
Indeed, they already use them…
I'm also doing this, complete with verified certificate.
You always want easy things...
I could make a C++ script to do it for me but I'm low on time. 
@Cablenut9… “the solution is useless (intercept standard DNS on 53)” are for @osc86 not for you… 
There are no reports Microsoft is going to enforce users to use DoH or DoT any time soon. And even if they do, If you control the clients, you’ll be able to disable it using group policies.
Blocking IP ranges is way more useless, as they can change any time and with the increased use of CDNs and IPv6 it’ll be even more useless.
The solution I posted has been tested and works. There wasn’t a single word about policy routing in the original post.
Now I don’t know what to do, use regex or use the address-lists. I probably shouldn’t do both because that’d be a waste of CPU resources.
I do not understand this. 
What mean?
I’m actually trying to make it so all Windows Update traffic gets redirected to a VPN
Here’s the pros and cons for each policy routing method:
Address list pros: Easy (?) on CPU, works with TLS 1.3
Cons: Changes because of CDNs, requires updates
L7 pros: Doesn’t require updates
Cons: Hard (?) on CPU, doesn’t work with TLS 1.3
Actually it won’t be too cpu intensive because only (small) dns packets will be matched against the L7 filter. In this case, the TLS version is unimportant.
However, for policy routing a little more is required, you should’ve mentioned this in your first post.
My solution just prevents a successful dns resolution of the specified domain, which obviously is not what you want, so you’d have to use rextended’s solution and mark sessions/packets based on an address list and route them via vpn using mangle rules.
This is basically useless to me as I’m using DoH which hides all the DNS from attackers, but you already knew this.
you’d have to use rextended’s solution and mark sessions/packets based on an address list and route them via vpn using mangle rules.
Why couldn’t I use the L7 method for policy routing, other than the CPU problem?
This is basically useless to me as I’m using DoH which hides all the DNS from attackers, but you already knew this.
Bullshit! Not even the just released Windows 11 pre-release uses DoH or DoT for DNS resolution. It’s using the same unencrypted shit that was invented in 1983. You have to understand that only the (unencrypted!) dns traffic between your Windows Client and the configured DNS Server (I assumed it’s the Mikrotik Router) gets inspected/altered. It doesn’t matter if you’re using DoH on any upstream DNS Resolver.
The only exception would be if you configured an external public DoH/DoT Server on your windows clients, which nobody with a clear mind would ever do. If this is the case, there’s no solution for your problem. RouterOS can’t break TLS connections as it’s an Operating System designed to route packets, not to be a next generation firewall.
You didn’t even come close to what I’m doing. To stop cellular operators from seeing any unencrypted DNS requests, I set up a hairpin NAT rule to redirect all port-53 DNS to the Mikrotik which has its DNS server, and that server uses DoH over the cellular network that the ISP can see. However, in TLS 1-1.2 and HTTP requests, you can still see the domain in packets so I need some way to stop Windows Update ones from getting routed the usual way, so I just need some method to identify them to send to some VPN tunnel.