"TLS Host" option doesn't work

Cablenut9 · Tue Jul 06, 2021 3:10 pm

I tried setting the TLS Host in a firewall rule to drop packets to download.windowsupdate.com and then in my computer I did this: curl https://download.windowsupdate.com and it worked. In other worlds, the TLS Host setting didn't work. What's the fix?

Cablenut9 · Tue Jul 06, 2021 8:16 pm

Any help?

rextended · Tue Jul 06, 2021 8:35 pm

TLS 1.3 encrypt also that filed...

osc86 · Tue Jul 06, 2021 9:02 pm

TLS Host matcher doesn't work with TLS1.3+.
One of the best solutions so far is to force everyone on the network to use a dns resolver you control and block the dns request for this domain.

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=!<dns-server> dst-port=53 \
    protocol=udp to-addresses=<dns-server> to-ports=53
add action=dst-nat chain=dstnat dst-address=!<dns-server> dst-port=53 \
    protocol=tcp to-addresses=<dns-server> to-ports=53

Then either create a static dns entry for download.windowsupdate.com pointing to 127.0.0.1 or use the layer7 filter to identify and drop the request.

/ip dns static
add name=download.windowsupdate.com address=127.0.0.1

OR

/ip firewall layer7-protocol
add name=windows-updates regexp=download.windowsupdate.com
/ip firewall filter
add action=drop chain=input dst-port=53 layer7-protocol=windows-updates  protocol=udp
add action=drop chain=input dst-port=53 layer7-protocol=windows-updates  protocol=tcp

Put them above your allow rules, make sure local dns cache is cleared on the hosts before testing.

Cablenut9 · Tue Jul 06, 2021 9:21 pm

I'm actually trying to make it so all Windows Update traffic gets redirected to a VPN because the device I'm doing this on is a hotspot and I don't want the cellular ISPs to see any Windows stuff. I also made an address-list with a bunch of Windows Update domains but I'm going to do the L7 regex as well.

rextended · Tue Jul 06, 2021 9:23 pm

Block directly windows update & telemetry

Cablenut9 · Tue Jul 06, 2021 9:24 pm

How am I supposed to add that into an address-list?

rextended · Tue Jul 06, 2021 9:28 pm

You always want easy things... :-)

Thanks to crazy-max:
https://github.com/crazy-max/WindowsSpyBlocker

Windows Update

/ip fire add
add list=windows_update address=13.68.87.47
add list=windows_update address=13.68.87.175
add list=windows_update address=13.68.88.129
add list=windows_update address=13.68.93.109
add list=windows_update address=13.74.179.117
add list=windows_update address=13.78.168.230
add list=windows_update address=13.78.177.144
add list=windows_update address=13.78.179.199
add list=windows_update address=13.78.180.50
add list=windows_update address=13.78.180.90
add list=windows_update address=13.78.184.44
add list=windows_update address=13.78.184.186
add list=windows_update address=13.78.186.254
add list=windows_update address=13.78.187.58
add list=windows_update address=13.78.230.134
add list=windows_update address=13.83.148.218
add list=windows_update address=13.83.148.235
add list=windows_update address=13.83.149.5
add list=windows_update address=13.83.149.67
add list=windows_update address=13.83.151.160
add list=windows_update address=13.86.124.174
add list=windows_update address=13.86.124.184
add list=windows_update address=13.86.124.191
add list=windows_update address=13.91.16.64
add list=windows_update address=13.91.16.65
add list=windows_update address=13.91.16.66
add list=windows_update address=13.92.211.120
add list=windows_update address=13.107.4.50
add list=windows_update address=13.107.4.52
add list=windows_update address=13.107.4.254
add list=windows_update address=20.36.218.63
add list=windows_update address=20.36.218.70
add list=windows_update address=20.36.222.39
add list=windows_update address=20.36.252.130
add list=windows_update address=20.41.41.23
add list=windows_update address=20.42.24.29
add list=windows_update address=20.42.24.50
add list=windows_update address=20.44.77.24
add list=windows_update address=20.44.77.45
add list=windows_update address=20.44.77.49
add list=windows_update address=20.44.77.219
add list=windows_update address=20.45.4.77
add list=windows_update address=20.45.4.178
add list=windows_update address=20.54.24.69
add list=windows_update address=20.54.24.79
add list=windows_update address=20.54.24.148
add list=windows_update address=20.54.24.169
add list=windows_update address=20.54.24.231
add list=windows_update address=20.54.24.246
add list=windows_update address=20.54.25.4
add list=windows_update address=20.54.25.16
add list=windows_update address=20.54.89.15
add list=windows_update address=20.54.89.106
add list=windows_update address=20.62.190.184
add list=windows_update address=20.62.190.185
add list=windows_update address=20.62.190.186
add list=windows_update address=20.185.109.208
add list=windows_update address=20.186.48.46
add list=windows_update address=20.188.74.161
add list=windows_update address=20.188.78.184
add list=windows_update address=20.188.78.185
add list=windows_update address=20.188.78.187
add list=windows_update address=20.188.78.188
add list=windows_update address=20.188.78.189
add list=windows_update address=20.190.3.175
add list=windows_update address=20.190.9.86
add list=windows_update address=20.191.46.109
add list=windows_update address=20.191.46.211
add list=windows_update address=23.103.189.125
add list=windows_update address=23.103.189.126
add list=windows_update address=23.103.189.157
add list=windows_update address=23.103.189.158
add list=windows_update address=40.67.248.104
add list=windows_update address=40.67.251.132
add list=windows_update address=40.67.251.134
add list=windows_update address=40.67.252.175
add list=windows_update address=40.67.252.206
add list=windows_update address=40.67.253.249
add list=windows_update address=40.67.254.36
add list=windows_update address=40.67.254.97
add list=windows_update address=40.67.255.199
add list=windows_update address=40.69.216.73
add list=windows_update address=40.69.216.129
add list=windows_update address=40.69.216.251
add list=windows_update address=40.69.218.62
add list=windows_update address=40.69.219.197
add list=windows_update address=40.69.220.46
add list=windows_update address=40.69.221.239
add list=windows_update address=40.69.222.109
add list=windows_update address=40.69.223.39
add list=windows_update address=40.69.223.198
add list=windows_update address=40.70.224.144
add list=windows_update address=40.70.224.145
add list=windows_update address=40.70.224.147
add list=windows_update address=40.70.224.148
add list=windows_update address=40.70.224.149
add list=windows_update address=40.70.229.150
add list=windows_update address=40.77.18.167
add list=windows_update address=40.77.224.8
add list=windows_update address=40.77.224.11
add list=windows_update address=40.77.224.145
add list=windows_update address=40.77.224.254
add list=windows_update address=40.77.226.13
add list=windows_update address=40.77.226.181
add list=windows_update address=40.77.226.246
add list=windows_update address=40.77.226.247
add list=windows_update address=40.77.226.248
add list=windows_update address=40.77.226.249
add list=windows_update address=40.77.226.250
add list=windows_update address=40.77.229.8
add list=windows_update address=40.77.229.9
add list=windows_update address=40.77.229.12
add list=windows_update address=40.77.229.13
add list=windows_update address=40.77.229.16
add list=windows_update address=40.77.229.21
add list=windows_update address=40.77.229.22
add list=windows_update address=40.77.229.24
add list=windows_update address=40.77.229.26
add list=windows_update address=40.77.229.27
add list=windows_update address=40.77.229.29
add list=windows_update address=40.77.229.30
add list=windows_update address=40.77.229.32
add list=windows_update address=40.77.229.35
add list=windows_update address=40.77.229.38
add list=windows_update address=40.77.229.44
add list=windows_update address=40.77.229.45
add list=windows_update address=40.77.229.50
add list=windows_update address=40.77.229.53
add list=windows_update address=40.77.229.62
add list=windows_update address=40.77.229.65
add list=windows_update address=40.77.229.67
add list=windows_update address=40.77.229.69
add list=windows_update address=40.77.229.70
add list=windows_update address=40.77.229.71
add list=windows_update address=40.77.229.74
add list=windows_update address=40.77.229.76
add list=windows_update address=40.77.229.80
add list=windows_update address=40.77.229.81
add list=windows_update address=40.77.229.82
add list=windows_update address=40.77.229.88
add list=windows_update address=40.77.229.118
add list=windows_update address=40.77.229.123
add list=windows_update address=40.77.229.128
add list=windows_update address=40.77.229.133
add list=windows_update address=40.77.229.141
add list=windows_update address=40.77.229.199
add list=windows_update address=40.79.65.78
add list=windows_update address=40.79.65.123
add list=windows_update address=40.79.65.235
add list=windows_update address=40.79.65.237
add list=windows_update address=40.79.66.194
add list=windows_update address=40.79.66.209
add list=windows_update address=40.79.67.176
add list=windows_update address=40.79.70.158
add list=windows_update address=40.91.73.169
add list=windows_update address=40.91.73.219
add list=windows_update address=40.91.75.5
add list=windows_update address=40.91.80.89
add list=windows_update address=40.91.91.94
add list=windows_update address=40.91.120.196
add list=windows_update address=40.91.122.44
add list=windows_update address=40.125.122.151
add list=windows_update address=40.125.122.176
add list=windows_update address=51.103.5.159
add list=windows_update address=51.103.5.186
add list=windows_update address=51.104.162.50
add list=windows_update address=51.104.162.168
add list=windows_update address=51.104.164.114
add list=windows_update address=51.104.167.48
add list=windows_update address=51.104.167.186
add list=windows_update address=51.104.167.245
add list=windows_update address=51.104.167.255
add list=windows_update address=51.105.249.223
add list=windows_update address=51.105.249.228
add list=windows_update address=51.105.249.239
add list=windows_update address=52.142.21.136
add list=windows_update address=52.137.102.105
add list=windows_update address=52.137.103.96
add list=windows_update address=52.137.103.130
add list=windows_update address=52.137.110.235
add list=windows_update address=52.142.21.137
add list=windows_update address=52.142.21.140
add list=windows_update address=52.142.21.141
add list=windows_update address=52.143.80.209
add list=windows_update address=52.143.81.222
add list=windows_update address=52.143.84.45
add list=windows_update address=52.143.86.214
add list=windows_update address=52.143.87.28
add list=windows_update address=52.147.176.8
add list=windows_update address=52.148.148.114
add list=windows_update address=52.152.108.96
add list=windows_update address=52.152.110.14
add list=windows_update address=52.155.95.90
add list=windows_update address=52.155.115.56
add list=windows_update address=52.155.169.137
add list=windows_update address=52.155.183.99
add list=windows_update address=52.155.217.156
add list=windows_update address=52.155.223.194
add list=windows_update address=52.156.144.83
add list=windows_update address=52.158.114.119
add list=windows_update address=52.158.122.14
add list=windows_update address=52.161.15.246
add list=windows_update address=52.164.221.179
add list=windows_update address=52.164.226.245
add list=windows_update address=52.167.222.82
add list=windows_update address=52.167.222.147
add list=windows_update address=52.167.223.135
add list=windows_update address=52.169.82.131
add list=windows_update address=52.169.83.3
add list=windows_update address=52.169.87.42
add list=windows_update address=52.169.123.48
add list=windows_update address=52.175.23.79
add list=windows_update address=52.177.164.251
add list=windows_update address=52.177.247.15
add list=windows_update address=52.178.192.146
add list=windows_update address=52.179.216.235
add list=windows_update address=52.179.219.14
add list=windows_update address=52.183.47.176
add list=windows_update address=52.183.118.171
add list=windows_update address=52.184.152.136
add list=windows_update address=52.184.155.206
add list=windows_update address=52.184.212.181
add list=windows_update address=52.184.213.21
add list=windows_update address=52.184.213.187
add list=windows_update address=52.184.214.53
add list=windows_update address=52.184.214.123
add list=windows_update address=52.184.214.139
add list=windows_update address=52.184.216.174
add list=windows_update address=52.184.216.226
add list=windows_update address=52.184.216.246
add list=windows_update address=52.184.217.20
add list=windows_update address=52.184.217.37
add list=windows_update address=52.184.217.56
add list=windows_update address=52.187.60.107
add list=windows_update address=52.188.72.233
add list=windows_update address=52.226.130.114
add list=windows_update address=52.229.170.171
add list=windows_update address=52.229.170.224
add list=windows_update address=52.229.171.86
add list=windows_update address=52.229.171.202
add list=windows_update address=52.229.172.155
add list=windows_update address=52.229.174.29
add list=windows_update address=52.229.174.172
add list=windows_update address=52.229.174.233
add list=windows_update address=52.229.175.79
add list=windows_update address=52.230.216.17
add list=windows_update address=52.230.216.157
add list=windows_update address=52.230.220.159
add list=windows_update address=52.230.223.92
add list=windows_update address=52.230.223.167
add list=windows_update address=52.232.225.93
add list=windows_update address=52.238.248.1
add list=windows_update address=52.238.248.2
add list=windows_update address=52.238.248.3
add list=windows_update address=52.242.97.97
add list=windows_update address=52.242.101.226
add list=windows_update address=52.242.231.32
add list=windows_update address=52.242.231.33
add list=windows_update address=52.242.231.35
add list=windows_update address=52.242.231.36
add list=windows_update address=52.242.231.37
add list=windows_update address=52.243.153.146
add list=windows_update address=52.248.96.36
add list=windows_update address=52.249.24.101
add list=windows_update address=52.249.58.51
add list=windows_update address=52.250.46.232
add list=windows_update address=52.250.46.237
add list=windows_update address=52.250.46.238
add list=windows_update address=52.250.195.200
add list=windows_update address=52.250.195.204
add list=windows_update address=52.250.195.206
add list=windows_update address=52.250.195.207
add list=windows_update address=52.253.130.84
add list=windows_update address=52.254.106.61
add list=windows_update address=64.4.27.50
add list=windows_update address=65.52.108.29
add list=windows_update address=65.52.108.33
add list=windows_update address=65.52.108.59
add list=windows_update address=65.52.108.90
add list=windows_update address=65.52.108.92
add list=windows_update address=65.52.108.153
add list=windows_update address=65.52.108.154
add list=windows_update address=65.52.108.185
add list=windows_update address=65.55.242.254
add list=windows_update address=66.119.144.157
add list=windows_update address=66.119.144.158
add list=windows_update address=66.119.144.189
add list=windows_update address=66.119.144.190
add list=windows_update address=67.26.27.254
add list=windows_update address=104.45.177.233
add list=windows_update address=111.221.29.40
add list=windows_update address=134.170.51.187
add list=windows_update address=134.170.51.188
add list=windows_update address=134.170.51.190
add list=windows_update address=134.170.51.246
add list=windows_update address=134.170.51.247
add list=windows_update address=134.170.51.248
add list=windows_update address=134.170.53.29
add list=windows_update address=134.170.53.30
add list=windows_update address=134.170.115.55
add list=windows_update address=134.170.115.56
add list=windows_update address=134.170.115.60
add list=windows_update address=134.170.115.62
add list=windows_update address=134.170.165.248
add list=windows_update address=134.170.165.249
add list=windows_update address=134.170.165.251
add list=windows_update address=134.170.165.253
add list=windows_update address=137.135.62.92
add list=windows_update address=157.55.133.204
add list=windows_update address=157.55.240.89
add list=windows_update address=157.55.240.126
add list=windows_update address=157.55.240.220
add list=windows_update address=157.56.77.138
add list=windows_update address=157.56.77.139
add list=windows_update address=157.56.77.140
add list=windows_update address=157.56.77.141
add list=windows_update address=157.56.77.148
add list=windows_update address=157.56.77.149
add list=windows_update address=157.56.96.54
add list=windows_update address=157.56.96.58
add list=windows_update address=157.56.96.123
add list=windows_update address=157.56.96.157
add list=windows_update address=191.232.80.53
add list=windows_update address=191.232.80.58
add list=windows_update address=191.232.80.60
add list=windows_update address=191.232.80.62
add list=windows_update address=191.232.139.2
add list=windows_update address=191.232.139.182
add list=windows_update address=191.232.139.253
add list=windows_update address=191.232.139.254
add list=windows_update address=191.234.72.183
add list=windows_update address=191.234.72.186
add list=windows_update address=191.234.72.188
add list=windows_update address=191.234.72.190
add list=windows_update address=207.46.114.58
add list=windows_update address=207.46.114.61

Telemetry

/ip fire add
add list=windows_telemetry address=13.64.90.137
add list=windows_telemetry address=13.68.31.193
add list=windows_telemetry address=13.69.131.175
add list=windows_telemetry address=13.66.56.243
add list=windows_telemetry address=13.68.82.8
add list=windows_telemetry address=13.68.92.143
add list=windows_telemetry address=13.73.26.107
add list=windows_telemetry address=13.74.169.109
add list=windows_telemetry address=13.78.130.220
add list=windows_telemetry address=13.78.232.226
add list=windows_telemetry address=13.78.233.133
add list=windows_telemetry address=13.88.21.125
add list=windows_telemetry address=13.92.194.212
add list=windows_telemetry address=13.104.215.69
add list=windows_telemetry address=20.44.86.43
add list=windows_telemetry address=20.49.150.241
add list=windows_telemetry address=20.54.110.119
add list=windows_telemetry address=20.60.20.4
add list=windows_telemetry address=20.189.74.153
add list=windows_telemetry address=23.99.49.121
add list=windows_telemetry address=23.102.4.253
add list=windows_telemetry address=23.102.5.5
add list=windows_telemetry address=23.102.21.4
add list=windows_telemetry address=23.103.182.126
add list=windows_telemetry address=40.68.222.212
add list=windows_telemetry address=40.69.153.67
add list=windows_telemetry address=40.70.184.83
add list=windows_telemetry address=40.70.220.248
add list=windows_telemetry address=40.70.221.249
add list=windows_telemetry address=40.77.228.47
add list=windows_telemetry address=40.77.228.87
add list=windows_telemetry address=40.77.228.92
add list=windows_telemetry address=40.77.232.101
add list=windows_telemetry address=40.78.128.150
add list=windows_telemetry address=40.79.85.125
add list=windows_telemetry address=40.88.32.150
add list=windows_telemetry address=40.90.221.9
add list=windows_telemetry address=40.112.209.200
add list=windows_telemetry address=40.115.3.210
add list=windows_telemetry address=40.115.119.185
add list=windows_telemetry address=40.119.211.203
add list=windows_telemetry address=40.119.249.228
add list=windows_telemetry address=40.124.34.70
add list=windows_telemetry address=40.127.240.158
add list=windows_telemetry address=51.104.136.2
add list=windows_telemetry address=51.124.78.146
add list=windows_telemetry address=51.140.40.236
add list=windows_telemetry address=51.140.157.153
add list=windows_telemetry address=51.143.53.152
add list=windows_telemetry address=51.143.111.7
add list=windows_telemetry address=51.143.111.81
add list=windows_telemetry address=51.144.227.73
add list=windows_telemetry address=52.147.198.201
add list=windows_telemetry address=52.138.204.217
add list=windows_telemetry address=52.138.216.83
add list=windows_telemetry address=52.155.94.78
add list=windows_telemetry address=52.155.172.105
add list=windows_telemetry address=52.157.234.37
add list=windows_telemetry address=52.158.208.111
add list=windows_telemetry address=52.164.241.205
add list=windows_telemetry address=52.169.189.83
add list=windows_telemetry address=52.170.83.19
add list=windows_telemetry address=52.174.22.246
add list=windows_telemetry address=52.178.147.240
add list=windows_telemetry address=52.178.151.212
add list=windows_telemetry address=52.178.178.16
add list=windows_telemetry address=52.178.223.23
add list=windows_telemetry address=52.183.114.173
add list=windows_telemetry address=52.184.221.185
add list=windows_telemetry address=52.229.39.152
add list=windows_telemetry address=52.230.85.180
add list=windows_telemetry address=52.230.222.68
add list=windows_telemetry address=52.236.42.239
add list=windows_telemetry address=52.236.43.202
add list=windows_telemetry address=52.255.188.83
add list=windows_telemetry address=65.52.100.7
add list=windows_telemetry address=65.52.100.9
add list=windows_telemetry address=65.52.100.11
add list=windows_telemetry address=65.52.100.91
add list=windows_telemetry address=65.52.100.92
add list=windows_telemetry address=65.52.100.93
add list=windows_telemetry address=65.52.100.94
add list=windows_telemetry address=65.52.161.64
add list=windows_telemetry address=65.55.29.238
add list=windows_telemetry address=65.55.44.51
add list=windows_telemetry address=65.55.44.54
add list=windows_telemetry address=65.55.44.108
add list=windows_telemetry address=65.55.44.109
add list=windows_telemetry address=65.55.83.120
add list=windows_telemetry address=65.55.113.11
add list=windows_telemetry address=65.55.113.12
add list=windows_telemetry address=65.55.113.13
add list=windows_telemetry address=65.55.176.90
add list=windows_telemetry address=65.55.252.43
add list=windows_telemetry address=65.55.252.63
add list=windows_telemetry address=65.55.252.70
add list=windows_telemetry address=65.55.252.71
add list=windows_telemetry address=65.55.252.72
add list=windows_telemetry address=65.55.252.93
add list=windows_telemetry address=65.55.252.190
add list=windows_telemetry address=65.55.252.202
add list=windows_telemetry address=66.119.147.131
add list=windows_telemetry address=104.41.207.73
add list=windows_telemetry address=104.42.151.234
add list=windows_telemetry address=104.43.137.66
add list=windows_telemetry address=104.43.139.21
add list=windows_telemetry address=104.43.139.144
add list=windows_telemetry address=104.43.140.223
add list=windows_telemetry address=104.43.193.48
add list=windows_telemetry address=104.43.228.53
add list=windows_telemetry address=104.43.228.202
add list=windows_telemetry address=104.43.237.169
add list=windows_telemetry address=104.45.11.195
add list=windows_telemetry address=104.45.214.112
add list=windows_telemetry address=104.46.1.211
add list=windows_telemetry address=104.46.38.64
add list=windows_telemetry address=104.210.4.77
add list=windows_telemetry address=104.210.40.87
add list=windows_telemetry address=104.210.212.243
add list=windows_telemetry address=104.214.35.244
add list=windows_telemetry address=104.214.78.152
add list=windows_telemetry address=131.253.6.87
add list=windows_telemetry address=131.253.6.103
add list=windows_telemetry address=131.253.34.230
add list=windows_telemetry address=131.253.34.234
add list=windows_telemetry address=131.253.34.237
add list=windows_telemetry address=131.253.34.243
add list=windows_telemetry address=131.253.34.246
add list=windows_telemetry address=131.253.34.247
add list=windows_telemetry address=131.253.34.249
add list=windows_telemetry address=131.253.34.252
add list=windows_telemetry address=131.253.34.255
add list=windows_telemetry address=131.253.40.37
add list=windows_telemetry address=134.170.30.202
add list=windows_telemetry address=134.170.30.203
add list=windows_telemetry address=134.170.30.204
add list=windows_telemetry address=134.170.30.221
add list=windows_telemetry address=134.170.52.151
add list=windows_telemetry address=134.170.235.16
add list=windows_telemetry address=157.56.74.250
add list=windows_telemetry address=157.56.91.77
add list=windows_telemetry address=157.56.106.184
add list=windows_telemetry address=157.56.106.185
add list=windows_telemetry address=157.56.106.189
add list=windows_telemetry address=157.56.113.217
add list=windows_telemetry address=157.56.121.89
add list=windows_telemetry address=157.56.124.87
add list=windows_telemetry address=157.56.149.250
add list=windows_telemetry address=157.56.194.72
add list=windows_telemetry address=157.56.194.73
add list=windows_telemetry address=157.56.194.74
add list=windows_telemetry address=168.61.24.141
add list=windows_telemetry address=168.61.146.25
add list=windows_telemetry address=168.61.149.17
add list=windows_telemetry address=168.61.161.212
add list=windows_telemetry address=168.61.172.71
add list=windows_telemetry address=168.62.187.13
add list=windows_telemetry address=168.63.100.61
add list=windows_telemetry address=168.63.108.233
add list=windows_telemetry address=191.236.155.80
add list=windows_telemetry address=191.237.218.239
add list=windows_telemetry address=191.239.50.18
add list=windows_telemetry address=191.239.50.77
add list=windows_telemetry address=191.239.52.100
add list=windows_telemetry address=191.239.54.52
add list=windows_telemetry address=207.68.166.254

rextended · Tue Jul 06, 2021 9:31 pm

TLS Host matcher doesn't work with TLS1.3+.

And what I have wrote?

Your solution is useless because on close future DoH and DoT are used...

Indeed, they already use them...

Cablenut9 · Tue Jul 06, 2021 9:52 pm

Your solution is useless because on close future DoH and DoT are used...

I'm also doing this, complete with verified certificate.

You always want easy things... :-)

I could make a C++ script to do it for me but I'm low on time. :)

rextended · Tue Jul 06, 2021 9:59 pm

@Cablenut9... "the solution is useless (intercept standard DNS on 53)" are for @osc86 not for you... ;)

osc86 · Tue Jul 06, 2021 11:19 pm

There are no reports Microsoft is going to enforce users to use DoH or DoT any time soon. And even if they do, If you control the clients, you'll be able to disable it using group policies.
Blocking IP ranges is way more useless, as they can change any time and with the increased use of CDNs and IPv6 it'll be even more useless.
The solution I posted has been tested and works. There wasn't a single word about policy routing in the original post.

Cablenut9 · Tue Jul 06, 2021 11:37 pm

Now I don't know what to do, use regex or use the address-lists. I probably shouldn't do both because that'd be a waste of CPU resources.

rextended · Tue Jul 06, 2021 11:56 pm

There wasn't a single word about policy routing in the original post.

I do not understand this. :(
What mean?

osc86 · Wed Jul 07, 2021 12:04 am

I'm actually trying to make it so all Windows Update traffic gets redirected to a VPN

Cablenut9 · Wed Jul 07, 2021 12:23 am

Here's the pros and cons for each policy routing method:

Address list pros: Easy (?) on CPU, works with TLS 1.3
Cons: Changes because of CDNs, requires updates

L7 pros: Doesn't require updates
Cons: Hard (?) on CPU, doesn't work with TLS 1.3

osc86 · Wed Jul 07, 2021 1:08 am

Actually it won't be too cpu intensive because only (small) dns packets will be matched against the L7 filter. In this case, the TLS version is unimportant.
However, for policy routing a little more is required, you should've mentioned this in your first post.
My solution just prevents a successful dns resolution of the specified domain, which obviously is not what you want, so you'd have to use rextended's solution and mark sessions/packets based on an address list and route them via vpn using mangle rules.

Cablenut9 · Wed Jul 07, 2021 1:12 am

only (small) dns packets will be matched against the L7 filter. In this case, the TLS version is unimportant.

This is basically useless to me as I'm using DoH which hides all the DNS from attackers, but you already knew this.

you'd have to use rextended's solution and mark sessions/packets based on an address list and route them via vpn using mangle rules.

Why couldn't I use the L7 method for policy routing, other than the CPU problem?

osc86 · Wed Jul 07, 2021 2:20 am

This is basically useless to me as I'm using DoH which hides all the DNS from attackers, but you already knew this.

Bullshit! Not even the just released Windows 11 pre-release uses DoH or DoT for DNS resolution. It's using the same unencrypted shit that was invented in 1983. You have to understand that only the (unencrypted!) dns traffic between your Windows Client and the configured DNS Server (I assumed it's the Mikrotik Router) gets inspected/altered. It doesn't matter if you're using DoH on any upstream DNS Resolver.
The only exception would be if you configured an external public DoH/DoT Server on your windows clients, which nobody with a clear mind would ever do. If this is the case, there's no solution for your problem. RouterOS can't break TLS connections as it's an Operating System designed to route packets, not to be a next generation firewall.

Cablenut9 · Wed Jul 07, 2021 2:23 am

You have to understand that only the (unencrypted!) dns traffic between your Windows Client and the configured DNS Server (I assumed it's the Mikrotik Router) gets inspected/altered. It doesn't matter if you're using DoH on any upstream DNS Resolver.

You didn't even come close to what I'm doing. To stop cellular operators from seeing any unencrypted DNS requests, I set up a hairpin NAT rule to redirect all port-53 DNS to the Mikrotik which has its DNS server, and that server uses DoH over the cellular network that the ISP can see. However, in TLS 1-1.2 and HTTP requests, you can still see the domain in packets so I need some way to stop Windows Update ones from getting routed the usual way, so I just need some method to identify them to send to some VPN tunnel.

osc86 · Wed Jul 07, 2021 3:11 am

You need to have an address-list, like the one crazy-max provides, and route them via vpn like so:

/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=windows_update new-connection-mark=\
    c_windows_update passthrough=yes
add action=mark-packet chain=prerouting connection-mark=c_windows_update \
    new-packet-mark=p_windows_update passthrough=yes
add action=mark-routing chain=prerouting new-routing-mark=VPN packet-mark=p_windows_update passthrough=no

/ip route
add distance=1 gateway=<your-vpn-gateway> routing-mark=VPN

Cablenut9 · Wed Jul 07, 2021 3:21 am

You need to have an address-list, like the one crazy-max provides

What about L7 in addition to or instead of address-list?

rextended · Wed Jul 07, 2021 3:42 am

L7 can't see inside HTTPS, TLS, STARTTLS, DoH, DoT, etc. etc. etc. protocols.

osc86 · Wed Jul 07, 2021 3:42 am

To my knowledge, L7 filter won't help here, but not 100% sure, as I'm not using it too much. You can also add domain names to address lists, for example:

/ip firewall address-list add list=windows_update address=download.windowsupdate.com

Router will resolve all A-records (not sure if AAAA too) for that domain, which will then get added to the list.
It can then be used for policy routing like I wrote above.

rextended · Wed Jul 07, 2021 3:45 am

In some of my post (not too much old) there are official Micro$oft list of domains...

viewtopic.php?f=2&t=175375&p=858126&hil ... te#p858126

Cablenut9 · Wed Jul 07, 2021 3:52 am

there are official Micro$oft list of domains... LINK

The problem is, this has non-Windows stuff as well (like ad domains) but I only need to masquerade addresses that are a "smoking gun" that there is a Windows machine in the network. I found a few candidates here: https://answers.microsoft.com/en-us/win ... db574d1526

rextended · Wed Jul 07, 2021 4:03 am

Ignoe the list,
open the link and you find official windows update section

Cablenut9 · Wed Jul 07, 2021 4:07 am

Now I have the master list, but I need a good way to transfer it to an address-list. I found the quickest manual way was to get into the terminal and keep entering the last command where the domain is replaced with a new one every time.
Would it be a good idea to get rid of the list of IP addresses that I got earlier, or should I keep it?

rextended · Wed Jul 07, 2021 4:21 am

umpf... you want all so much easy.... :P

/ip fire add
add list=windows_update_dns address=a-0001.a-msedge.net
add list=windows_update_dns address=a-0002.a-msedge.net
add list=windows_update_dns address=a-0003.a-msedge.net
add list=windows_update_dns address=a-0004.a-msedge.net
add list=windows_update_dns address=a-0005.a-msedge.net
add list=windows_update_dns address=a-0006.a-msedge.net
add list=windows_update_dns address=a-0007.a-msedge.net
add list=windows_update_dns address=a-0008.a-msedge.net
add list=windows_update_dns address=a-0009.a-msedge.net
add list=windows_update_dns address=a-msedge.net
add list=windows_update_dns address=a.ads1.msn.com
add list=windows_update_dns address=a.ads2.msads.net
add list=windows_update_dns address=a.ads2.msn.com
add list=windows_update_dns address=a.rad.msn.com
add list=windows_update_dns address=ac3.msn.com
add list=windows_update_dns address=ad.doubleclick.net
add list=windows_update_dns address=adnexus.net
add list=windows_update_dns address=adnxs.com
add list=windows_update_dns address=ads.msn.com
add list=windows_update_dns address=ads1.msads.net
add list=windows_update_dns address=ads1.msn.com
add list=windows_update_dns address=aidps.atdmt.com
add list=windows_update_dns address=aka-cdn-ns.adtech.de
add list=windows_update_dns address=apps.skype.com
add list=windows_update_dns address=az361816.vo.msecnd.net
add list=windows_update_dns address=az512334.vo.msecnd.net
add list=windows_update_dns address=b.ads1.msn.com
add list=windows_update_dns address=b.ads2.msads.net
add list=windows_update_dns address=b.rad.msn.com
add list=windows_update_dns address=bs.serving-sys.com
add list=windows_update_dns address=c.atdmt.com
add list=windows_update_dns address=c.msn.com
add list=windows_update_dns address=ca.telemetry.microsoft.com
add list=windows_update_dns address=cache.datamart.windows.com
add list=windows_update_dns address=cdn.atdmt.com
add list=windows_update_dns address=cds26.ams9.msecn.net
add list=windows_update_dns address=choice.microsoft.com
add list=windows_update_dns address=choice.microsoft.com.nsatc.net
add list=windows_update_dns address=choice.microsoft.com.nstac.net
add list=windows_update_dns address=compatexchange.cloudapp.net
add list=windows_update_dns address=corp.sts.microsoft.com
add list=windows_update_dns address=corpext.msitadfs.glbdns2.microsoft.com
add list=windows_update_dns address=cs1.wpc.v0cdn.net
add list=windows_update_dns address=db3aqu.atdmt.com
add list=windows_update_dns address=db3wns2011111.wns.windows.com
add list=windows_update_dns address=df.telemetry.microsoft.com
add list=windows_update_dns address=diagnostics.support.microsoft.com
add list=windows_update_dns address=ec.atdmt.com
add list=windows_update_dns address=fe2.update.microsoft.com.akadns.net
add list=windows_update_dns address=fe3.delivery.dsp.mp.microsoft.com.nsatc.net
add list=windows_update_dns address=feedback.microsoft-hohm.com
add list=windows_update_dns address=feedback.search.microsoft.com
add list=windows_update_dns address=feedback.windows.com
add list=windows_update_dns address=flex.msn.com
add list=windows_update_dns address=g.msn.com
add list=windows_update_dns address=h1.msn.com
add list=windows_update_dns address=i1.services.social.microsoft.com
add list=windows_update_dns address=i1.services.social.microsoft.com.nsatc.net
add list=windows_update_dns address=lb1.www.ms.akadns.net
add list=windows_update_dns address=live.rads.msn.com
add list=windows_update_dns address=m.adnxs.com
add list=windows_update_dns address=m.hotmail.com
add list=windows_update_dns address=msedge.net
add list=windows_update_dns address=msftncsi.com
add list=windows_update_dns address=msnbot-207-46-194-33.search.msn.com
add list=windows_update_dns address=msnbot-65-55-108-23.search.msn.com
add list=windows_update_dns address=msntest.serving-sys.com
add list=windows_update_dns address=oca.telemetry.microsoft.com
add list=windows_update_dns address=oca.telemetry.microsoft.com.nsatc.net
add list=windows_update_dns address=pre.footprintpredict.com
add list=windows_update_dns address=preview.msn.com
add list=windows_update_dns address=pricelist.skype.com
add list=windows_update_dns address=rad.live.com
add list=windows_update_dns address=rad.msn.com
add list=windows_update_dns address=redir.metaservices.microsoft.com
add list=windows_update_dns address=reports.wes.df.telemetry.microsoft.com
add list=windows_update_dns address=s.gateway.messenger.live.com
add list=windows_update_dns address=s0.2mdn.net
add list=windows_update_dns address=schemas.microsoft.akadns.net
add list=windows_update_dns address=secure.adnxs.com
add list=windows_update_dns address=secure.flashtalking.com
add list=windows_update_dns address=services.wes.df.telemetry.microsoft.com
add list=windows_update_dns address=settings-sandbox.data.microsoft.com
add list=windows_update_dns address=settings-win.data.microsoft.com
add list=windows_update_dns address=settings.data.microsof.com
add list=windows_update_dns address=sls.update.microsoft.com.akadns.net
add list=windows_update_dns address=sO.2mdn.net
add list=windows_update_dns address=spynet2.microsoft.com
add list=windows_update_dns address=spynetalt.microsoft.com
add list=windows_update_dns address=sqm.df.telemetry.microsoft.com
add list=windows_update_dns address=sqm.telemetry.microsoft.com
add list=windows_update_dns address=sqm.telemetry.microsoft.com.nsatc.net
add list=windows_update_dns address=ssw.live.com
add list=windows_update_dns address=static.2mdn.net
add list=windows_update_dns address=statsfe1.ws.microsoft.com
add list=windows_update_dns address=statsfe2.update.microsoft.com.akadns.net
add list=windows_update_dns address=statsfe2.ws.microsoft.com
add list=windows_update_dns address=survey.watson.microsoft.com
add list=windows_update_dns address=telecommand.telemetry.microsoft.com
add list=windows_update_dns address=telecommand.telemetry.microsoft.com.nsatc.net
add list=windows_update_dns address=telemetry.appex.bing.net
add list=windows_update_dns address=telemetry.microsoft.com
add list=windows_update_dns address=telemetry.urs.microsoft.com
add list=windows_update_dns address=ui.skype.com
add list=windows_update_dns address=v10.vortex-win.data.microsoft.com
add list=windows_update_dns address=view.atdmt.com
add list=windows_update_dns address=vortex-bn2.metron.live.com.nsatc.net
add list=windows_update_dns address=vortex-cy2.metron.live.com.nsatc.net
add list=windows_update_dns address=vortex-sandbox.data.microsoft.com
add list=windows_update_dns address=vortex-win.data.metron.live.com.nsatc.net
add list=windows_update_dns address=vortex-win.data.microsoft.com
add list=windows_update_dns address=vortex.data.glbdns2.microsoft.com
add list=windows_update_dns address=vortex.data.microsoft.com
add list=windows_update_dns address=watson.live.com
add list=windows_update_dns address=watson.microsoft.com
add list=windows_update_dns address=watson.ppe.telemetry.microsoft.com
add list=windows_update_dns address=watson.telemetry.microsoft.com
add list=windows_update_dns address=watson.telemetry.microsoft.com.nsatc.net
add list=windows_update_dns address=web.vortex.data.microsoft.com
add list=windows_update_dns address=wes.df.telemetry.microsoft.com
add list=windows_update_dns address=win10.ipv6.microsoft.com
add list=windows_update_dns address=www.msftncsi.com

Cablenut9 · Wed Jul 07, 2021 4:26 am

Too late, I already did it!

add address=activity.windows.com list=windows_telemetry
add address=tile-service.weather.microsoft.com list=windows_telemetry
add address=evoke-windowsservices-tas.msedge.net list=windows_telemetry
add address=cdn.onenote.net list=windows_telemetry
add address=spclient.wg.spotify.com list=windows_telemetry
add address=ctldl.windowsupdate.com list=windows_telemetry
add address=fp.msedge.net list=windows_telemetry
add address=k-ring.msedge.net list=windows_telemetry
add address=b-ring.msedge.net list=windows_telemetry
add address=login.live.com list=windows_telemetry
add address=cs.dds.microsoft.com list=windows_telemetry
add address=dmd.metaservices.microsoft.com list=windows_telemetry
add address=v10.events.data.microsoft.com list=windows_telemetry
add address=v20.events.data.microsoft.com list=windows_telemetry
add list=windows_telemetry
add address=watson.telemetry.microsoft.com list=windows_telemetry
add address=licensing.mp.microsoft.com list=windows_telemetry
add address=inference.location.live.net list=windows_telemetry
add address=maps.windows.com list=windows_telemetry
add address=ssl.ak.dynamic.tiles.virtualearth.net list=windows_telemetry
add address=ssl.ak.tiles.virtualearth.net list=windows_telemetry
add address=dev.virtualearth.net list=windows_telemetry
add address=ecn.dev.virtualearth.net list=windows_telemetry
add address=ssl.bing.com list=windows_telemetry
add address=edge.activity.windows.com list=windows_telemetry
add address=edge.microsoft.com list=windows_telemetry
add address=msedge.api.cdp.microsoft.com list=windows_telemetry
add address=img-prod-cms-rt-microsoft-com.akamaized.net list=\
    windows_telemetry
add address=wns.windows.com list=windows_telemetry
add address=storecatalogrevocation.storequality.microsoft.com list=\
    windows_telemetry
add address=displaycatalog.mp.microsoft.com list=windows_telemetry
add address=pti.store.microsoft.com list=windows_telemetry
add address=storesdk.dsx.mp.microsoft.com list=windows_telemetry
add address=manage.devcenter.microsoft.com list=windows_telemetry
add address=store-images.s-microsoft.com list=windows_telemetry
add address=www.msftconnecttest.com list=windows_telemetry
add address=outlook.office365.com list=windows_telemetry
add address=blobs.officehome.msocdn.com list=windows_telemetry
add address=officehomeblobs.blob.core.windows.net list=windows_telemetry
add address=blob.core.windows.net list=windows_telemetry
add address=self.events.data.microsoft.com list=windows_telemetry
add address=outlookmobile-office365-tas.msedge.net list=windows_telemetry
add address=roaming.officeapps.live.com list=windows_telemetry
add address=substrate.office.com list=windows_telemetry
add address=oneclient.sfx.ms list=windows_telemetry
add address=g.live.com list=windows_telemetry
add address=logincdn.msauth.net list=windows_telemetry
add address=windows.policies.live.net list=windows_telemetry
add address=api.onedrive.com list=windows_telemetry
add address=skydrivesync.policies.live.net list=windows_telemetry
add address=storage.live.com list=windows_telemetry
add address=settings.live.net list=windows_telemetry
add address=settings.data.microsoft.com list=windows_telemetry
add address=settings-win.data.microsoft.com list=windows_telemetry
add address=pipe.aria.microsoft.com list=windows_telemetry
add address=config.edge.skype.com list=windows_telemetry
add address=config.teams.microsoft.com list=windows_telemetry
add address=wdcp.microsoft.com list=windows_telemetry
add address=wdcpalt.microsoft.com list=windows_telemetry
add address=smartscreen-prod.microsoft.com list=windows_telemetry
add address=definitionupdates.microsoft.com list=windows_telemetry
add address=martscreen.microsoft.com list=windows_telemetry
add address=smartscreen.microsoft.com list=windows_telemetry
add address=checkappexec.microsoft.com list=windows_telemetry
add address=arc.msn.com list=windows_telemetry
add address=ris.api.iris.microsoft.com list=windows_telemetry
add address=mucp.api.account.microsoft.com list=windows_telemetry
add address=prod.do.dsp.mp.microsoft.com list=windows_telemetry
add address=emdl.ws.microsoft.com list=windows_update
add address=dl.delivery.mp.microsoft.com list=windows_update
add address=delivery.mp.microsoft.com list=windows_update
add address=update.microsoft.com list=windows_update
add address=adl.windows.com list=windows_update
add address=tsfe.trafficshaping.dsp.mp.microsoft.com list=windows_update
add address=dlassets-ssl.xboxlive.com list=windows_telemetry
add address=www.xboxab.com list=windows_telemetry

rextended · Wed Jul 07, 2021 4:31 am

Bravo

Cablenut9 · Wed Jul 07, 2021 10:08 pm

Is there a similar list for Apple?

rextended · Thu Jul 08, 2021 1:05 am

Probably, but I do not use that imposed devices.

Cablenut9 · Thu Jul 08, 2021 1:10 am

I just found this potential list that could work: https://support.apple.com/en-us/HT210060

Cablenut9 · Thu Jul 08, 2021 3:29 am

HELP! After adding all these domains to the address-list, my router is pulling a perpetual 200kb/s through the LTE modem. Is there a way to extend the TTL for DNS so it doesn't use so much data?

Here's an alternative idea I just got: Use L7 regex and the big list of IPs together. However, use L7 to match only against port-53 DNS requests, and for hosts that match this rule, add them to an address list of their own. Then, reroute all TCP port 80/443 traffic from those hosts to the VPN. This is the closest I can get to not needing a big list of domains and selectively routing. Here's a regex I made for this:

(watson|telemetry|windows|smartscreen|maps|activity|choice|download|update|diagnostics|feedback|spynet|telecommand|ipv6|vortex).*(data|support|microsoft|windows|bing|windowsupdate|live)

Cablenut9 · Thu Jul 08, 2021 3:46 pm

Now I have a quadruple-whammy setup that is easy on the CPU and the LTE modem. First, I start with rules that redirect ALL traffic on certain ports that only Windows and Apple devices use. If that doesn't work, I match traffic based on address-lists full of IPs and a handful of domains that can't be easily matched with regex. After that, I have rules that match TLS hosts based on known Win/Apple domain patterns. Then, I have a couple regex rules that match a whole bunch of known Win/Apple domains. However, because ROS can't get the address requested from DNS, it adds all addresses that send DNS packets that fit the regex rules get added to a special address list. I have another rule that redirects TCP port 80/443 traffic from these addresses.

pe1chl · Thu Jul 08, 2021 5:34 pm

You have to understand that only the (unencrypted!) dns traffic between your Windows Client and the configured DNS Server (I assumed it's the Mikrotik Router) gets inspected/altered. It doesn't matter if you're using DoH on any upstream DNS Resolver.
You didn't even come close to what I'm doing. To stop cellular operators from seeing any unencrypted DNS requests, I set up a hairpin NAT rule to redirect all port-53 DNS to the Mikrotik which has its DNS server, and that server uses DoH over the cellular network that the ISP can see. However, in TLS 1-1.2 and HTTP requests, you can still see the domain in packets so I need some way to stop Windows Update ones from getting routed the usual way, so I just need some method to identify them to send to some VPN tunnel.

I hope you understand that any method that works by identifying the traffic at TLS level (e.g. "tls host" or plain L7) can never be used to send the traffic through a VPN tunnel, no matter how well the identification works.
TLS is not a TCP session setup feature. The client first makes a TCP session, then it sends TLS info across that session. When you catch that, it is too late to setup the TCP session via another path.

Cablenut9 · Thu Jul 08, 2021 5:52 pm

When you catch that, it is too late to setup the TCP session via another path.

Technically true, but HTTP(S) has a native 1/RTT feature that automatically restarts the connection if the path changes. And, if it doesn't work, then no data of value would be lost anyway since all I'm matching against is Windows/Apple telemetry and updates.

pe1chl · Thu Jul 08, 2021 6:35 pm

When the connection restarts you will have lost your identifying work (setting connection mark or routing mark) on that connection.
You would have to use the "add to address list" construct for the destination address. And likely for the next attempt the destination address will be different, so you first need to wait until all available addresses for that name have been tried and added to the address list before the connection will succeed.
That could work for automatic updates, but a manual "check for updates" will have issued an error message by then.

Cablenut9 · Thu Jul 08, 2021 6:51 pm

When does a client first send a packet with the TLS host? I forgot how the process works, but if it doesn't send it at first, then I'm definitely going to have to make another address list.

pe1chl · Thu Jul 08, 2021 7:00 pm

SYN ->
<- ACK SYN
ACK ->
DATA ->
the 4th packet contains the setup of TLS but I am not sure if that immediately contains the TLS Host or if that is even later in the exchange.

you would have to reject that packet with a TCP RST reply and also add the destination address to your address list.
that still means the other end of the connection (the server at Microsoft/Apple) has a half-open session that it has to time out.

rextended · Thu Jul 08, 2021 7:01 pm

TCP do not "send" packets like UDP.
TCP instaurate a connection between two device then send packet between devices
Only firsk 4k (?) of the connection are "visible" on layer 7 / TLS host (not 1.3+) the rest are "extabilished" connection.
The firewall with connection-tracking make the connection alive, if NAT is used, also if you change routing or NAT rules.
The next route are taken on next new TCP connection...

edit underlned part

Cablenut9 · Thu Jul 08, 2021 7:11 pm

So, here's a new plan: Match TLS hosts and the action is to jump to a custom chain. This custom chain has rules that simply add both the source and destination to address lists. Later in the prerouting chain, have a rule that matches these address lists and marks routes as going to the VPN.

Cablenut9 · Thu Jul 08, 2021 8:48 pm

you would have to reject that packet with a TCP RST reply and also add the destination address to your address list.

I already added the destination address to the address list, but I can't think of a good way to send a TCP RST. Is there some feature or hack in ROS that can do this?

pe1chl · Thu Jul 08, 2021 8:53 pm

In a filter rule configured for protocol tcp, you can reject a packet with tcp rst.

Cablenut9 · Thu Jul 08, 2021 9:02 pm

Does this setup look good?

/ip firewall mangle
add action=jump chain=prerouting comment=*xbox*.com dst-port=80,443 jump-target=tls protocol=tcp tls-host=*xbox*.com
add action=jump chain=prerouting comment=*a-msedge.net dst-port=80,443 jump-target=tls protocol=tcp tls-host=*a-msedge.net
add action=return chain=tls comment="return packets if the hosts are already marked" dst-address-list=tls_dst_host src-address-list=tls_src_host
add action=add-src-to-address-list address-list=tls_src_host address-list-timeout=10m chain=tls
add action=add-dst-to-address-list address-list=tls_dst_host address-list-timeout=10m chain=tls
add action=mark-connection chain=tls new-connection-mark=tls_disconnect passthrough=yes
add action=return chain=tls
add action=mark-routing chain=prerouting dst-address-list=tls_dst_host new-routing-mark=vpn passthrough=no src-address-list=tls_src_host

/ip firewall filter
add action=reject chain=forward comment="reset tcp connections which have just been marked with tls" connection-mark=tls_disconnect protocol=tcp reject-with=tcp-reset

Cablenut9 · Fri Jul 09, 2021 4:42 am

route them via vpn like so:

/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=windows_update new-connection-mark=\
    c_windows_update passthrough=yes
add action=mark-packet chain=prerouting connection-mark=c_windows_update \
    new-packet-mark=p_windows_update passthrough=yes
add action=mark-routing chain=prerouting new-routing-mark=VPN packet-mark=p_windows_update passthrough=no

Why should I do it in three steps? If I just mark the connection then mark all the connection's packets, then that's simpler. Also, I noticed in the Mik Wiki they included connection-state=new in the rules that are similar to this. Should I include that as well?

john4669 · Wed Apr 19, 2023 3:25 am

TLS Host matcher doesn't work with TLS1.3+.
And what I have wrote?

Your solution is useless because on close future DoH and DoT are used...

Indeed, they already use them...

Sorry to reply to an old thread but I found this a while back that has taken care of most of the DoH and DoT issues:
https://github.com/Trigus42/Block-Secur ... ster/Lists

I Also block QUIC and the standard DoT port 853:

add action=drop chain=forward comment="Block QUIC" dst-port=80,443 protocol=udp
add action=drop chain=forward comment="Block DoT DNS"  dst-port=853 protocol=tcp

Who is online