Community discussions

MikroTik App
 
User avatar
memelchenkov
Member Candidate
Member Candidate
Topic Author
Posts: 202
Joined: Sun Oct 11, 2020 12:00 pm
Contact:

Feature request: Wildcard DNS on Address Lists

Mon Jun 07, 2021 12:56 pm

Hello! It will be cool if you will implement wildcards for Firewall Address List. It's easy to use with internal DNS server, easier than L7 processing. There already were such requests but they were for v6, so I hope for v7 we'll finally see it.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Feature request: Wildcard DNS on Address Lists

Mon Jun 07, 2021 1:56 pm

Any example?

like put "*.google.it" and the routeros try to resolve (address to add ip on address-list)
all possible combination type qoiruq94763254789.google.it, 978w6b5v987265298c7.google.it, 9999999999999999999999999.google.it, etc.?
 
User avatar
netravnen
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Sun Dec 31, 2017 2:48 am

Re: Feature request: Wildcard DNS on Address Lists

Mon Jun 07, 2021 3:11 pm

Use an external DNS server as a work-around (i.e. dns blackhole, instead of blocking the traffic on IP level.)
# The wildcard domain (*.google.com) and all subdomains will be resolved as 127.0.0.1 - dnsmasq.conf
address=/.google.com/127.0.0.1
Last edited by netravnen on Mon Jun 07, 2021 3:18 pm, edited 2 times in total.
 
User avatar
memelchenkov
Member Candidate
Member Candidate
Topic Author
Posts: 202
Joined: Sun Oct 11, 2020 12:00 pm
Contact:

Re: Feature request: Wildcard DNS on Address Lists

Mon Jun 07, 2021 3:14 pm

like put "*.google.it" and the routeros try to resolve (address to add ip on address-list)
all possible combination
Yes.
 
User avatar
memelchenkov
Member Candidate
Member Candidate
Topic Author
Posts: 202
Joined: Sun Oct 11, 2020 12:00 pm
Contact:

Re: Feature request: Wildcard DNS on Address Lists

Mon Jun 07, 2021 3:16 pm

Use an external DNS server for that?
I use these lists for traffic forwarding, not blocking. So, this feature built into Mikrotik will be perfect. Even more, it’s already there, just no wildcard support yet.
 
User avatar
netravnen
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Sun Dec 31, 2017 2:48 am

Re: Feature request: Wildcard DNS on Address Lists

Mon Jun 07, 2021 3:21 pm

use these lists for traffic forwarding, not blocking
What about a solution using an external server to expand e.g. the Google as-set (using e.g. bgpq3) into an ip-prefix lis. That could then be imported (push from server, or pull from RouterOS) as an address list into the firewall config context?
 
User avatar
memelchenkov
Member Candidate
Member Candidate
Topic Author
Posts: 202
Joined: Sun Oct 11, 2020 12:00 pm
Contact:

Re: Feature request: Wildcard DNS on Address Lists

Mon Jun 07, 2021 4:22 pm

(using e.g. bgpq3)

You usually don’t want to get all AS range. You may not know all ASes used by website. And it involves 3rd-party integration anyway. For home/small offices it’s overkill. I am pretty happy with what embedded DNS server and Firewall Address List offers, just want to be it more flexible.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Feature request: Wildcard DNS on Address Lists

Mon Jun 07, 2021 5:32 pm

like put "*.google.it" and the routeros try to resolve (address to add ip on address-list)
all possible combination
Yes.
It's a provocation, you do not notice that?
you think really routeros go test from
a.google.it
aa.google.it
aaa.google.it
aaaa.google.it
aaaaa.google.it
aaaaaa.google.it
aaaaaaa.google.it
aaaaaaaa.google.it
to
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.google.it
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.google.it
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.google.it
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.google.it
etc. for discover if dns exist and put the ip inside address list?

your point of view is completly wrong

again:
any example of what you want obtain at the end, with real-life example?
 
User avatar
netravnen
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Sun Dec 31, 2017 2:48 am

Re: Feature request: Wildcard DNS on Address Lists

Mon Jun 07, 2021 5:49 pm

you think really routeros go test from
If done on a reactive basis with the dns server on the network being the routeros gateway. And done before the connection + dns reply is delivered to the client on the inside of the gateway router. It should (in theory!) be very feasible to implement.

Entries added to the FW address list can support a configurable timeout to avoid the address list just growing and growing without end.
 
User avatar
memelchenkov
Member Candidate
Member Candidate
Topic Author
Posts: 202
Joined: Sun Oct 11, 2020 12:00 pm
Contact:

Re: Feature request: Wildcard DNS on Address Lists

Mon Jun 07, 2021 5:54 pm

It's a provocation, you do not notice that?
you think really routeros go test from
You got it wrong. A device queries Mikrotik's DNS server -> address list filed. That's all. It's how it works now (?) — I don't know exactly how it is implemented now, but IP address appears at the list after requesting DNS, it's not pre-filed.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Feature request: Wildcard DNS on Address Lists

Mon Jun 07, 2021 6:04 pm

on OP you ask >>>wildcards for Firewall Address List<<<
not wildcards for DNS static entry, already existent


Again, you not understand.

Actually if I put www.google.it on firewall address-list it also add one or more dynamic IP with timeout equal as given reply DNS timeout.

If some wildcard are used, just one "dot" for example, routeros, for do what you want, must try all valid dns characters like:
1.google.it, 2.google.it .... a.google.it, b.google.it ... y.google.it, z.google.it
then with one single wildcard characters must do 40 DNS requests.
If added something like "*" wildcard, routeros must try from
1.google.it
to
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.google.it
for do that, must do (243 positions with 40 possible values each position = 40^253 =) ~ 2*10^405 of DNS querys

Just 2*10^405 of DNS querys, for each wildcard DNS on address list..
Numbers of atoms on the universe are like 10^82...

very feasable, not?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature request: Wildcard DNS on Address Lists

Mon Jun 07, 2021 9:27 pm

Geez rextended, Pirelli needs you to fix their F1 tire issues!!
Your talents are wasted in the MT help forums ;-)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Feature request: Wildcard DNS on Address Lists

Tue Jun 08, 2021 12:53 am

Geez rextended, Pirelli needs you to fix their F1 tire issues!!
Your talents are wasted in the MT help forums ;-)
I'm Italian but I prefer Bridgestone :((
My opinion is Pirelli is really shitty, Bridgestone must go back :((
e te lo dice un Italiano, stavolta non offendi :((
 
noradtux
newbie
Posts: 39
Joined: Mon May 24, 2021 6:33 pm

Re: Feature request: Wildcard DNS on Address Lists

Thu Jun 10, 2021 10:29 am

A firewall product I use can supposedly use wildcards in its ruleset by reading DNS queries that pass it and populate those wildcard entries with the info it captured from those DNS responses.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Feature request: Wildcard DNS on Address Lists

Thu Jun 10, 2021 2:06 pm

A firewall product I use can supposedly use wildcards in its ruleset by reading DNS queries that pass it and populate those wildcard entries with the info it captured from those DNS responses.
And what?
the OP is about wildcard on firewall access-list, not already existent wildcard on DNS...

Who is online

Users browsing this forum: No registered users and 17 guests