Hello friends I have one doubt of Address List in the Firewall, I created an Ip list but I use as Ip address a domain name for example www.google.com when I Apply I can see that the mikrotik automatically resolve the domain name and It create twice dynamic entry with the differents ip of the server but I don´t if the ip of the server change should I to change it manually or Mikrotik make it automatically? If mikrotik make it automatically can I change the often?
Thanks
If you inspect the address list, you’ll find that there are several items, one with fqdn and one or more with IP addresses obtained using DNS resolution of that fqdn, which are marked as “dynamic”. And RouterOS updates the items which contain IP addresses by sending new DNS query when the TTL of the previous DNS response expires:
[me@lab-1] > ip firewall address-list add list=test address=youtube.com
[me@lab-1] > ip firewall address-list print where list=test
Flags: X - disabled, D - dynamic
# LIST ADDRESS CREATION-TIME TIMEOUT
0 test youtube.com mar/10/2018 19:00:32
1 D ;;; youtube.com
test 172.217.23.206 mar/10/2018 19:00:32
[me@lab-1] > ip dns cache print where name=youtube.com
Flags: S - static
# NAME ADDRESS TTL
0 youtube.com 172.217.23.206 3m22s
... 4 minutes elapsed ...
[me@lab-1] > ip dns cache print where name=youtube.com
Flags: S - static
# NAME ADDRESS TTL
0 youtube.com 216.58.201.110 4m14s
[me@lab-1] > ip firewall address-list print where list=test
Flags: X - disabled, D - dynamic
# LIST ADDRESS CREATION-TIME TIMEOUT
0 test youtube.com mar/10/2018 19:00:32
1 D ;;; youtube.com
test 216.58.201.110 mar/10/2018 19:05:42
Just be aware that by disabling addresses to which an fqdn resolves this way, you also disable access to any other fqdn which resolves to the same IP address (as they are operated or hosted by the same company). Google is an example - by disabling access to youtube.com, you cut access to google.* as well.
Thanks very much I know now how it´s works, The TTL is provide by the DNS server when the router make the dns query I check and the TTL is 5 minutes for that domain.
Basing on example provided (everyone actually wants to block Youtube, me too =)), it is obvious that we do also need an option to specify .googlevideo.com or ^..googlevideo.com$ or use any other format, but in any case host wildcards are strongly desired.
RouterOS 6.41.2 and 6.42 RC fail to recognize TLS hosts, but even when it is fixed, above option will be much simpler.
It may be simpler but it is unfortunately too coarse.
The ****
/ip firewall layer7-protocol
matchers match on plaintext http requests, the
tls-host
conditions match on client hello packets in which the server name is present in plaintext. And wildcards do work even for
tls-host
, except that they use glob syntax rather than the regexp syntax used by
/ip firewall layer7-protocol
matchers.
In both cases above, the fqdn used in those packets is relevant to a particular service.
With address-list, that’s not the case. Google runs a lot of services on the same IP addresses, so although you set just ****
youtube.com
as an
address-list address
, the result is that traffic to any gooogle service matches that
address-list
. So although your intention is to ban or slow down youtube alone, you cannot avoid treating the same way the other Google services like mail and web search.