Community discussions

MikroTik App
 
Knight
newbie
Topic Author
Posts: 44
Joined: Thu Feb 09, 2012 1:40 am

Remote DNS Request, Block Client Device  [SOLVED]

Sun Mar 05, 2023 11:43 pm

Hello,

I am building a private DNS server using Mikrotik with remote requests enabled.

My clients are connected to my server from the WAN port and they are not on the same network ( Not local clients ).

So, aside from the IP Address because it changes everytime the client reboots the router, is there a way to detect the client device to block it ?

being a remote client means that the client device src-mac is not real and the Mikrotik is reading its gateway mac-address so I can't use the src-mac,
but I was thinking if it's possible to detect something unique on the packet level and applying a L7 pattern to detect it ?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Remote DNS Request, Block Client Device

Mon Mar 06, 2023 1:25 am

What's the point? Try to share more details.

If it's some non-public domain, you could do some filtering on that. But then I'd expect also internal addresses and there would have to be some VPN to access them, so just use it for accessing DNS server too.

If it's resolver for regular public domains, e.g. because clients can't trust resolvers provided by their ISPs, you couldn't identify who is asking, if it's allowed client or someone else. But ISP doing something bad with their local DNS could as well do the same with other requests, so you'd probably also want something to prevent it, like VPN.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19102
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Remote DNS Request, Block Client Device

Mon Mar 06, 2023 1:27 am

Yes, sounds like a self made work project with not direction or real purpose. I think the thread was started by ChatGPT ;-)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Remote DNS Request, Block Client Device

Mon Mar 06, 2023 4:40 am

Most likely not, but I can't wait until spammers discover that it would be perfect for generating hard to detect not-clearly-nonsense posts to establish their presence.
 
Knight
newbie
Topic Author
Posts: 44
Joined: Thu Feb 09, 2012 1:40 am

Re: Remote DNS Request, Block Client Device

Mon Mar 06, 2023 5:51 am

What's the point? Try to share more details.

If it's some non-public domain, you could do some filtering on that. But then I'd expect also internal addresses and there would have to be some VPN to access them, so just use it for accessing DNS server too.

If it's resolver for regular public domains, e.g. because clients can't trust resolvers provided by their ISPs, you couldn't identify who is asking, if it's allowed client or someone else. But ISP doing something bad with their local DNS could as well do the same with other requests, so you'd probably also want something to prevent it, like VPN.
Well, I have devices that supposed to connect to none public domains, something like d1.zonex.srv which should be only available for specific devices, we also need these devices to not connect to any domains but the ones we allow to prevent some pre- installed apps from shearing our private data.

Unfortunately, the devices firmware doesn't have any VPN client and we can't install any because they are source closed and they are not under our control to be managed by a firewall, so the only way to achieve this is to connect these devices to our DNS server that will resolve the d1.zonex.srv to the right address and block the unwanted apps.

In short, our service will be available only for those who use our DNS server which ensures the unwanted apps are blocked.

We already achieved this, but it will be nice bounce if we could do something like making a specific domain works only for a specific device.

Based on my information, this is not possible since the client device won't send anything unique to the DNS server, but idk if the incoming requests contain something like user agent that i can use a L7 pattern to match them.

I know user agent are not unique and can be changed but in our case we are dealing with a devices that never change the user agent and the variety of the devices models and firmware versions will narrow the possibility of having identical user agents on our server.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Remote DNS Request, Block Client Device

Mon Mar 06, 2023 6:09 am

Regular DNS doesn't have anything like user agent. You can use e.g. Wireshark to check what's in packets, but in short, nothing you could use. But you could use L7 to match queries for .srv TLD:
\x03srv.\x01$
 
reinerotto
Long time Member
Long time Member
Posts: 520
Joined: Thu Dec 04, 2008 2:35 am

Re: Remote DNS Request, Block Client Device

Mon Mar 06, 2023 8:19 am

> it will be nice bounce if we could do something like making a specific domain works only for a specific device.<
You can do this, in case you can install a special service (i.e. DNS-server or DNS-forwarder; router) in the location of your "specifc device". To catch the mac.

Who is online

Users browsing this forum: anav, AshuGite and 37 guests