Community discussions

MikroTik App
 
packet255
just joined
Topic Author
Posts: 2
Joined: Sat Feb 24, 2018 3:41 am

Feature Request: Wildcard DNS on Address Lists

Fri Jun 01, 2018 7:25 pm

Since the introductions of domain names to address lists, performing filtering have been a lot easier. Recently a requirement came up and I needed to add several domain names manually to get what I was working on work but I still missed several more

On 6.41 - TLS host was introduced and allowed to add wildcard DNS

Can we see wildcard DNS soon on address lists also? It will be a very nice feature to have. Other firewall vendors have that already, and given that it is available inside a different Mikrotik facility, should be easy to have it on address list as well?

Please, and thank you.
 
Sob
Forum Guru
Forum Guru
Posts: 6517
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature Request: Wildcard DNS on Address Lists

Fri Jun 01, 2018 11:59 pm

It's something completely different.

With TLS host, there's hostname in packet (as part of SNI) belonging to connection, so when it arrives, it's easy to match "something.example.net" against "*.example.net".

Address list resolves given hostname to IP address, which is then used by firewall. It also watches TTL and resolves the hostname again, when it's about to expire. It's clearly impossible to make this approach work with wildcards, system would have to try to resolve all names that "*" can stand for, so it would be combinations of "a-z", "0-9", "_", "-" for 1-63 characters. That's a lot of combinations.

Trying to synchronously get hostname when when first packet for some address arrives is impossible too. Not only it would kill router's performance, but there's no clear 1:1 mapping from IP address to hostname.

Only way I can imagine it could work would be if DNS cache would check hostnames against the wildcard and would update address list, if it found some. But unlike TLS host, this would not be reliable, because there's no guarantee that client used router as resolver.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
itmethod
newbie
Posts: 29
Joined: Tue Feb 18, 2014 8:44 pm

Re: Feature Request: Wildcard DNS on Address Lists

Thu Mar 21, 2019 8:33 am

Only way I can imagine it could work would be if DNS cache would check hostnames against the wildcard and would update address list, if it found some. But unlike TLS host, this would not be reliable, because there's no guarantee that client used router as resolver.

how would you accomplish this,

This rule will take care of the issue of forcing the client to use routers DNS.
 /ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses=192.168.255.1 to-ports=53
Now blocking sites by wildcard dns. works like this
/ip dns static
add address=127.0.0.1 regexp="^*facebook.com\$"

but I Want to white-list wildcard DNS. not block it.
 
Sob
Forum Guru
Forum Guru
Posts: 6517
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature Request: Wildcard DNS on Address Lists

Thu Mar 21, 2019 1:36 pm

You can do that, but it's not what the request was about.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
mencoder
just joined
Posts: 1
Joined: Wed Sep 18, 2019 10:42 pm

Re: Feature Request: Wildcard DNS on Address Lists

Wed Sep 18, 2019 10:49 pm

Oh cmon... My 10 years old Asus RT-N16 with Shibby's modified Tomato-based fimware can do this easily, but my new Mikrotik RB952Ui-5ac2nD CAN'T... This is sad :(
 
User avatar
rushlife
Member Candidate
Member Candidate
Posts: 150
Joined: Thu Nov 05, 2015 12:30 pm
Location: czech republic

Re: Feature Request: Wildcard DNS on Address Lists

Fri Sep 27, 2019 10:28 pm

+1, It would be great to have this...
 
djdrastic
Member
Member
Posts: 321
Joined: Wed Aug 01, 2012 2:14 pm

Re: Feature Request: Wildcard DNS on Address Lists

Wed Aug 26, 2020 10:24 am

Crud I just ran into this.

Any chance of seeing this in ROS 7 ? Would be mega helpful.
 
Sob
Forum Guru
Forum Guru
Posts: 6517
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature Request: Wildcard DNS on Address Lists

Wed Aug 26, 2020 2:31 pm

You first need to come up with a way how it could work, because it clearly can't work the same way as non-wildcard hostnames work in address list now (see second post).
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
logankuo
just joined
Posts: 1
Joined: Thu Oct 08, 2020 5:47 pm

Re: Feature Request: Wildcard DNS on Address Lists

Thu Oct 08, 2020 6:23 pm

Only way I can imagine it could work would be if DNS cache would check hostnames against the wildcard and would update address list, if it found some. But unlike TLS host, this would not be reliable, because there's no guarantee that client used router as resolver.
I think this is a nice idea by using DNS cache. maybe we can use dns cache to check, or catch dns reply traffic to address-list ?

I found the checkpoint firewall have a function call "DNS Passive Learning" at latest version R80.40
, it also request dns traffic pass through the firewall.
 
30th
just joined
Posts: 1
Joined: Tue Feb 23, 2021 6:20 am

Re: Feature Request: Wildcard DNS on Address Lists

Tue Feb 23, 2021 6:29 am

You first need to come up with a way how it could work, because it clearly can't work the same way as non-wildcard hostnames work in address list now (see second post).
If Mikrotik resolves DNS requests it seems to be easy. One can restrict this feature to this usecase. Another solution would be intercept and deep inspect DNS requests on a Firewall level.

Both solutions are easy to hack around and therefore it won't work for blacklisting. But it would be perfectly enough for Netflix/Amazon whitelisting for an Airbnb apartment.

Who is online

Users browsing this forum: cgallery, hpet, ramirez, Znevna and 113 guests