Since the introductions of domain names to address lists, performing filtering have been a lot easier. Recently a requirement came up and I needed to add several domain names manually to get what I was working on work but I still missed several more

On 6.41 - TLS host was introduced and allowed to add wildcard DNS

Can we see wildcard DNS soon on address lists also? It will be a very nice feature to have. Other firewall vendors have that already, and given that it is available inside a different Mikrotik facility, should be easy to have it on address list as well?

Please, and thank you.

It's something completely different.

With TLS host, there's hostname in packet (as part of SNI) belonging to connection, so when it arrives, it's easy to match "something.example.net" against "*.example.net".

Address list resolves given hostname to IP address, which is then used by firewall. It also watches TTL and resolves the hostname again, when it's about to expire. It's clearly impossible to make this approach work with wildcards, system would have to try to resolve all names that "*" can stand for, so it would be combinations of "a-z", "0-9", "_", "-" for 1-63 characters. That's a lot of combinations.

Trying to synchronously get hostname when when first packet for some address arrives is impossible too. Not only it would kill router's performance, but there's no clear 1:1 mapping from IP address to hostname.

Only way I can imagine it could work would be if DNS cache would check hostnames against the wildcard and would update address list, if it found some. But unlike TLS host, this would not be reliable, because there's no guarantee that client used router as resolver.

Only way I can imagine it could work would be if DNS cache would check hostnames against the wildcard and would update address list, if it found some. But unlike TLS host, this would not be reliable, because there's no guarantee that client used router as resolver.

how would you accomplish this,

This rule will take care of the issue of forcing the client to use routers DNS.
Now blocking sites by wildcard dns. works like this
but I Want to white-list wildcard DNS. not block it.

You can do that, but it's not what the request was about.

Oh cmon... My 10 years old Asus RT-N16 with Shibby's modified Tomato-based fimware can do this easily, but my new Mikrotik RB952Ui-5ac2nD CAN'T... This is sad

+1, It would be great to have this...

Crud I just ran into this.

Any chance of seeing this in ROS 7 ? Would be mega helpful.

You first need to come up with a way how it could work, because it clearly can't work the same way as non-wildcard hostnames work in address list now (see second post).

Only way I can imagine it could work would be if DNS cache would check hostnames against the wildcard and would update address list, if it found some. But unlike TLS host, this would not be reliable, because there's no guarantee that client used router as resolver.

I think this is a nice idea by using DNS cache. maybe we can use dns cache to check, or catch dns reply traffic to address-list ?

I found the checkpoint firewall have a function call "DNS Passive Learning" at latest version R80.40
, it also request dns traffic pass through the firewall.

You first need to come up with a way how it could work, because it clearly can't work the same way as non-wildcard hostnames work in address list now (see second post).

If Mikrotik resolves DNS requests it seems to be easy. One can restrict this feature to this usecase. Another solution would be intercept and deep inspect DNS requests on a Firewall level.

Both solutions are easy to hack around and therefore it won't work for blacklisting. But it would be perfectly enough for Netflix/Amazon whitelisting for an Airbnb apartment.