How to allow all forward traffic to *.mydomain.com ?
As far as I know , I can't
/ip firewall address-list
add address=*.mydomain.com list=allowed
Any other workaround ?
Just remove the * and "."/ip firewall address-list
add address=mydomain.com list=allowed
You can screen by script DNS cache for "*.mydomain.com" and add all corresponding IP addresses to address list...
:do {
:local LIST "Google-Play";
:local DOMAIN1 "google.com";
:local DOMAIN2 "gvt1.com";
:local DOMAIN3 "googlevideo.com";
:foreach Crec in=[/ip dns cache all find where ( ( (type="A") || (type="CNAME") ) && (static=no) && ((name~$DOMAIN) || (name~$DOMAIN2) || (name~$DOMAIN3)))] do={
:local Cname [/ip dns cache get number=$Crec name];
:local Cdata "";
:delay 1000ms;
:if ([/ip dns cache all get $Crec type]="CNAME") do={
:set $Cdata [:resolve $Cname]; } else={
:set $Cdata [/ip dns cache get number=$Crec address]; }
:do {/ip firewall address-list
:do {add list=$LIST address=$Cdata comment=$Cname timeout=1d disabled=no} on-error={:log warning message="address entry exist: List=$LIST , Host=$Cname , Address=$Cdata";}
}
}
} on-error={:log error message="script failed..."}
Yes. Large companies like Google of Facebook (sorry if I haven't mentioned your favourite one) use the same IP addresses for all of their services, so to try to selectively ban youtube but allow google search by blacklisting IP addresses is really a lost battle.Is it possible that so different web services go to use same ip address servers ?
In this case is a lost war from the beginning.....