How to allow all forward traffic to *.mydomain.com ?

As far as I know , I can't

/ip firewall address-list
add address=*.mydomain.com list=allowed

Any other workaround ?

/ip firewall address-list
add address=mydomain.com list=allowed

Just remove the * and "."

... and you'll get address(es) of "mydomain.com" without subdomains.

Unfortunately for OP, this is not possible. Address list resolves hostnames. There's no way it could resolve all combinations covered by *.

You can screen by script DNS cache for "*.mydomain.com" and add all corresponding IP addresses to address list...

Yes, unfortunately when you try to use a website or a service inside a website, you are hiddenly redirected to a lot of subdomains and different ip addresses .
Address lists resolve dynamically just few entries related to that subdomain....
Looking at DNS cache then, many entries are associated to CNAMEs thus further other IP addresses

For example, trying to whitelisting gmail, whitelisting google.com , mail.google.com, accounting.google.com is not yet enough.

It is a far more complicated issue

Goal is to avoid kids to surf everywhere in the web while they should use just school-related websites.
Fake dns entries on PC is a lost war as there are thousands of websites you should ban, it would be a lot simpler to allow just some...

I was thinking to transparent proxy, but it works only with HTTP where HTTPS is used mostly instead...

Any other known method please ?

You can screen by script DNS cache for "*.mydomain.com" and add all corresponding IP addresses to address list...

Do you mean that, despite all hidden redirections, all the "anysubdomain.domain.com" entries (or CNAME entries resolutions) are enough for website services to be allowed once added in the allowes address list ?

And , for sure, I would need a suggestion about how to build that script.....

I do exactly same as what you want to do. Its not always working but you can make it work with some effort
and good will from your kids...

1.) Most school tools and web pages have not that many domains and IP addresses.
Example is Khanacademy.org
On their web page you can find the domain names to allow traffic for them
/ip firewall address-list
add address=kastatic.org comment="Khan Acadamy" list=khanacademy
add address=kasandbox.org comment="Khan Acadamy" list=khanacademy
add address=youtube-nocookie.com comment="Khan Acadamy" list=khanacademy
add address=fr.khanacademy.org comment="Khan Academy" list=khanacademy
add address=khanacademy.org comment="Khan Academy" list=khanacademy

2.) your local school will have one domain and probably 2-3 sub domains used.
Add them into your address list.
Then also check DNS cache what other domains and extensions they might use.
(Flush the cash, and have your kids connect to the school system to see what is coming in)

3.) If something is not working, have your kids connect to the school system, and you log the drop rule.
from there you see what IP address is creating the issue. You can reverse look up in some cases
again in the DNS cache.

A script to screen the DNS cache and adds it to a list (comes from someone else on the wiki):
[ Domain1-3 the domain names you want to search for]

Thank you for script !

Yes, usually little local sites/services has one or very few subdomains, but there is the need to use gmail as well as google meet or other world-wide services , I'll try script as soon as possible .

I don't have any ready to use solution, but proxy is actually very good idea for things like this. It can't be transparent proxy, but the kind you configure on client device. If you force device to not handle DNS itself, but send all hostnames to proxy, it's technically very easy to allow just the ones you need (including subdomains) and block everything else. I didn't test it much yet, but new version of SOCKS proxy (currently in 6.47 beta) will hopefully be able to do this.

Of course you will still have problem with dependencies, because today too many websites download tons of javascript from elsewhere. But if you're lucky, the ones you need won't have too much of it.

Sob, do you mean that current socks isn't capable of ?

Meanwhile, it's interesting to see how , with just three domains, filrewall list becomes populated with 180 items, mostly google....

Of course I need to run script frequently to hit new DNS cache entries.

It's not perfect but not too bad.... There are still some service that require further updates or services/websites that take even tens of seconds to open.

Current SOCKS in non-beta RouterOS supports only ancient SOCKS4, which works with IP addresses and not hostnames, so it wouldn't be useful for this.

Despite script suggested by WeWiNet works fine enough, I found however some entries like youtube.com resolve in dns entries that once entered as blacklisted IP they affects negatively other services like google classroom, google meet etc.

Is it possible that so different web services go to use same ip address servers ?
In this case is a lost war from the beginning.....

Is it possible that so different web services go to use same ip address servers ?
In this case is a lost war from the beginning.....

Yes. Large companies like Google of Facebook (sorry if I haven't mentioned your favourite one) use the same IP addresses for all of their services, so to try to selectively ban youtube but allow google search by blacklisting IP addresses is really a lost battle.