Community discussions

 
Drail
just joined
Topic Author
Posts: 5
Joined: Sat Aug 18, 2018 4:40 pm
Location: Poland

Blocking .io domains

Sat Aug 18, 2018 4:45 pm

Hello, I'm new in MT devices. I try to block domains with .io. Could you help me with block .io domains? I blocked one domain by adding ip to firewall and set action to reject. This blocked domain is not blocked in 100%, it's loading very slow and only html. But some of traffic is rejected. Can u help me with strong block websites?
 
User avatar
WirtelPL
newbie
Posts: 34
Joined: Sat Nov 11, 2017 11:22 am
Location: Poland

Re: Blocking .io domains

Tue Aug 21, 2018 1:03 pm

Maybe it will be helpful?
https://mikrotikconfig.com/firewall/

I don't tried it yet :-)
RB951G-2HnD for home production
RBmAP2nD | RB952Ui-5ac2nD-TC for home lab
 
Drail
just joined
Topic Author
Posts: 5
Joined: Sat Aug 18, 2018 4:40 pm
Location: Poland

Re: Blocking .io domains

Wed Aug 22, 2018 9:47 am

Okay, but .io domain is administered by the Internet Computer Bureau, so I need to exclude UK?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5928
Joined: Mon Jun 08, 2015 12:09 pm

Re: Blocking .io domains

Wed Aug 22, 2018 11:08 am

Blocking such a wide target is almost always going to cause problems. And serve no purpose.
You should also know that a router operates at the "IP address" level, not at the "domain" level.
So all methods to block such things are problematic at best.
 
Drail
just joined
Topic Author
Posts: 5
Joined: Sat Aug 18, 2018 4:40 pm
Location: Poland

Re: Blocking .io domains

Wed Aug 22, 2018 11:19 am

Okay, but I just need games hosting on io domains. Nobody uses io domains for anything other than games. When i had a small Asus router, I could do that. Simply add .io to firewall and it was all what i need to do. It's possible to do it on MT?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24277
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Blocking .io domains

Wed Aug 22, 2018 11:26 am

Nobody uses io domains for anything other than games.
That is 100% not true :D There are tons of nice projects hosted on .io domains. Javascript frameworks, hacking communities and many nice things unrelated to games.
No answer to your question? How to write posts
 
nescafe2002
Long time Member
Long time Member
Posts: 624
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Blocking .io domains

Wed Aug 22, 2018 11:27 am

You can add a regexp dns entry to redirect all .io domains to localhost (or any invalid ip address as you like):
/ip dns static
add address=127.0.0.1 regexp=".*\\.io\$"
add address=::1 regexp=".*\\.io\$"

Edit: add ::1 for IPv6 enabled routers
Last edited by nescafe2002 on Wed Aug 22, 2018 11:42 am, edited 2 times in total.
 
Drail
just joined
Topic Author
Posts: 5
Joined: Sat Aug 18, 2018 4:40 pm
Location: Poland

Re: Blocking .io domains

Wed Aug 22, 2018 11:34 am

@normis
Nobody uses io domains for anything other than games.
That is 100% not true :D There are tons of nice projects hosted on .io domains. Javascript frameworks, hacking communities and many nice things unrelated to games.
Nobody in network where this MT is :) Only sister of my gf want to play .io. Her father told me to block this, thats all :D


@nescafe2002
You can add a regexp dns entry to redirect all .io domains to localhost (or any invalid ip address as you like):
/ip dns static
add address=127.0.0.1 regexp=".*\\.io\$"
Thanks you, I will try this later.
Last edited by Drail on Wed Aug 22, 2018 11:43 am, edited 1 time in total.
 
eider
newbie
Posts: 30
Joined: Thu Nov 30, 2017 10:14 pm

Re: Blocking .io domains

Wed Aug 22, 2018 11:54 am

This will block DNS requests to .io, both on output chain (from router, if router is serving DNS requests) and forward chain (in case user changes his DNS server to something else or router is not serving DNS requests). Block is done using reject so that resolver does not have to keep waiting for timeout, as it would be the case with drop.
/ip firewall layer7-protocol
add comment=name=\
    dns_io regexp="^.\?.\?.\?.\?[\\x01\\x02].\?.\?.\?.\?.\?.\?[\\x01-\?][a-z0\
    -9_][\\x01-\?a-z_]*[\\x02-\\x06](io)[\\x01-\\x10\\x1c][\\x\
    01\\x03\\x04\\xFF]"
/ip firewall filter
add action=reject chain=output \
    dst-port=53 layer7-protocol=dns_io protocol=udp reject-with=\
    icmp-admin-prohibited
add action=reject chain=forward \
    dst-port=53 layer7-protocol=dns_io protocol=udp reject-with=\
    icmp-admin-prohibited
Last edited by eider on Wed Aug 22, 2018 4:44 pm, edited 1 time in total.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1310
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Blocking .io domains

Wed Aug 22, 2018 12:17 pm

/ip dns static
add address=127.0.0.1 regexp=".*\\.io\$"
add address=::1 regexp=".*\\.io\$"
To make this works even better, make a rule that redirect all DNS to your server, so it will not help if user changes their DNS.

Add this:
/ip firewall nat add chain=dstnat action=redirect to-ports=53 protocol=udp  dst-port=53
Last edited by Jotne on Wed Aug 22, 2018 12:22 pm, edited 1 time in total.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 5928
Joined: Mon Jun 08, 2015 12:09 pm

Re: Blocking .io domains

Wed Aug 22, 2018 12:17 pm

@normis
Nobody uses io domains for anything other than games.
That is 100% not true :D There are tons of nice projects hosted on .io domains. Javascript frameworks, hacking communities and many nice things unrelated to games.
Nobody in network where this MT is :) Only sister of my gf want to play .io. Her father told me to block this, thats all :D
At least tell the people in that family that they should not be surprised when other websites suddenly do not work anymore due to your solution. And that they can contact you again to solve it.
Remember when you visit a website like forum.mikrotik.com you enter that URL in the top bar but the website itself can use many other components from other sites that you do not see. There can be .io domain names in there, and you will block them, so the site misses part of its components.
But of course it was the same on your Asus router. Doing such blocks looks nice at first sight but it will cause problems, and you have to be lucky to not notice them.
 
nescafe2002
Long time Member
Long time Member
Posts: 624
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Blocking .io domains

Wed Aug 22, 2018 12:25 pm

@eider, agreed that rejecting is better than redirecting to localhost. It would be better if MT allowed 0.0.0.0 as static dns entry (both fulfilling the dns request so the resolver wouldn't check secondary dns and eliminating timeouts).

However, your script is syntactically incorrect and results in a full reject on both chains due to missing line continuation marks. Please review or remove to prevent other user's from simply copying and pasting malfunctioning code.
 
eider
newbie
Posts: 30
Joined: Thu Nov 30, 2017 10:14 pm

Re: Blocking .io domains

Wed Aug 22, 2018 4:46 pm

However, your script is syntactically incorrect and results in a full reject on both chains due to missing line continuation marks. Please review or remove to prevent other user's from simply copying and pasting malfunctioning code.
Fixed. Thanks.

Additionally I do agree with others in here, that blocking all .io is dangerous. Personally I use this solution to prevent remote DNS servers from receiving requests to internal tlds.
 
Drail
just joined
Topic Author
Posts: 5
Joined: Sat Aug 18, 2018 4:40 pm
Location: Poland

Re: Blocking .io domains

Wed Aug 22, 2018 6:09 pm

@normis
Nobody uses io domains for anything other than games.
That is 100% not true :D There are tons of nice projects hosted on .io domains. Javascript frameworks, hacking communities and many nice things unrelated to games.
Nobody in network where this MT is :) Only sister of my gf want to play .io. Her father told me to block this, thats all :D
At least tell the people in that family that they should not be surprised when other websites suddenly do not work anymore due to your solution. And that they can contact you again to solve it.
Remember when you visit a website like forum.mikrotik.com you enter that URL in the top bar but the website itself can use many other components from other sites that you do not see. There can be .io domain names in there, and you will block them, so the site misses part of its components.
But of course it was the same on your Asus router. Doing such blocks looks nice at first sight but it will cause problems, and you have to be lucky to not notice them.
I know that, its only temporary solutions, for 1-2 days. It's a Jail for younger kid :)

Who is online

Users browsing this forum: No registered users and 20 guests