Fri Aug 12, 2016 11:05 am
When you want a dynamic blacklist containing only single IP addresses (not subnets), on RouterOS 6.36 and later,
you can put the addresses in some DNS server you can manage and add an address list that has the corresponding
DNS name. I have tried with about 2000 addresses and it works OK: the MikroTik resolves the DNS name, finds
there are too many results for UDP, re-tries in TCP mode (so your DNS server has to support that!) and retrieves
all the 2000 addresses and puts them in the address list. And the DNS query is automatically re-run every time
the TTL of the DNS record ticks to zero.
So, no more need for scripts, you can configure many routers like this and only need to maintain the list in the
DNS server, with a TTL appropriate for the frequency at which you do the updates.
Unfortunately this only works for single addresses, because you cannot put subnets in DNS. Maybe a nice
enhancement would be when MikroTik also resolves TXT records and recognizes a.b.c.d/e strings to create
subnets in the address list.