Community discussions

 
lff0305
just joined
Topic Author
Posts: 3
Joined: Tue Aug 06, 2019 5:49 am

[ROS/Firewall] How to MANGLE by raw HEX bytes ? [SOLVED]

Tue Aug 06, 2019 5:57 am

The need is to block some DNS requests. For example, block all dns requests to
aaa.com
This can be done MANGLE/Mark package as (udp, port 53, content=aaa) then block all the packages with this mark.
However, this will block aaabbb.com also.

I tried set content=aaa.com and it does not work.

So I ran wireshark, and figured out that the DNS package was in fact
03 61 62 63 03 63 6f 6d
means
(len for abc) (hex for abc) (len for com) (hex for com)

So, if I want to block abc.com exactly I need to find some way to set the Content=HEX RAW BYTES

I have tried Content=\03 \61 ..... \6d
or Content=\\03 \\61 ..... \\6d
or Content=0x03 0x61 ..... 0x6d

but none of them works.

Any idea for this ?

Thanks.

SOLVED: Thanks to everyone posting reply here. I finally make it work.

The KEY TRICK to this issue is that, DO NOT enter the content="\03abc\03com" in the WINBOX Dialogs.

Instead, open a TERMINAL and run the command
/ip firewall mangle
add action=passthrough chain=prerouting content="cnn\03com" dst-port=53 in-interface=e1_int log=yes log-prefix="DNS catch: " \
    protocol=udp
Thanks to sebastia for pointing this out (From Terminal)
Last edited by lff0305 on Thu Aug 08, 2019 5:03 am, edited 2 times in total.
 
User avatar
skylark
MikroTik Support
MikroTik Support
Posts: 106
Joined: Wed Feb 10, 2016 3:55 pm

Re: [ROS/Firewall] How to MANGLE by raw HEX bytes ?

Tue Aug 06, 2019 12:31 pm

Maybe you can simply use address-list?
/ip firewall address-list
add address=www.aaabbb.com list=blocked
add address=www.aaa.com list=blocked
/ip firewall filter
add action=reject chain=forward dst-address-list=blocked reject-with=icmp-network-unreachable
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: [ROS/Firewall] How to MANGLE by raw HEX bytes ?

Tue Aug 06, 2019 1:38 pm

Try this:
content="\03abc\03com"
 
lff0305
just joined
Topic Author
Posts: 3
Joined: Tue Aug 06, 2019 5:49 am

Re: [ROS/Firewall] How to MANGLE by raw HEX bytes ?

Tue Aug 06, 2019 2:35 pm

Maybe you can simply use address-list?
/ip firewall address-list
add address=www.aaabbb.com list=blocked
add address=www.aaa.com list=blocked
/ip firewall filter
add action=reject chain=forward dst-address-list=blocked reject-with=icmp-network-unreachable
Thanks but this will not work. www.abc.com can be hundreds of IPs. Put www.abc.com in address list is only working with one particular IP.
 
lff0305
just joined
Topic Author
Posts: 3
Joined: Tue Aug 06, 2019 5:49 am

Re: [ROS/Firewall] How to MANGLE by raw HEX bytes ?

Tue Aug 06, 2019 2:39 pm

Try this:
content="\03abc\03com"
Just tried, no working.

Steps:

set content=abc then run "nslookup abc.com" I can see the packages logged (I enabled the log)
set content="\03abc\03com" and run again "nslookup abc.com" no logs appear.

So far I guess that ROS does not support HEX RAW bytes in content. But no documents to prove that so far.
 
nescafe2002
Long time Member
Long time Member
Posts: 624
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: [ROS/Firewall] How to MANGLE by raw HEX bytes ?

Tue Aug 06, 2019 2:47 pm

For external DNS server:

/ip firewall layer7-protocol
add name=aaa.com regexp="\\x03aaa\\x03com"
/ip firewall filter
add place-before=0 action=reject chain=forward dst-port=53 layer7-protocol=aaa.com protocol=udp reject-with=icmp-network-unreachable

Will block aaa.com, www.aaa.com, subdomain.aaa.com, www.subdomain.aaa.com, but not aaaa.com.

If MT is DNS server (allow remote requests):

/ip dns static
# To block *.aaa.com
add address=127.0.0.1 regexp="\\.aaa\\.com\$"
# To block aaa.com
add address=127.0.0.1 name=aaa.com

Unfortunately MT cannot accept 0.0.0.0 (NXDOMAIN/null) as static entry address.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: [ROS/Firewall] How to MANGLE by raw HEX bytes ?

Tue Aug 06, 2019 7:46 pm

Try this:
content="\03abc\03com"
Just tried, no working.
Working fine here (from terminal):
/ip firewall mangle
add action=passthrough chain=prerouting content="cnn\03com" dst-port=53 in-interface=e1_int log=yes log-prefix="DNS catch: " \
    protocol=udp

"ping cnn.com" generates:
18:42:31 firewall,info DNS catch: prerouting: in:e1_int out:(unknown 0), src-mac 44:8a:5b:88:87:e2, proto UDP, 192.168.1.12:58429->192.168.1.1:53, len 53

Who is online

Users browsing this forum: No registered users and 116 guests