Community discussions

MikroTik App
 
logankuo
just joined
Topic Author
Posts: 4
Joined: Thu Oct 08, 2020 5:47 pm

Feature Request: Address List use Wildcard FQDN

Mon Aug 02, 2021 5:46 pm

The address list can use FQDN as address. Can we see use wildcard or regex FQDN ?

like a:
/ip firewall address-list
add address=*.example.net list=example.net

I guess we can use below method to get address:
1. DNS cache (ROS as DNS relay)
2. trust DNS reply (ROS resolve specify dns reply message)

It will useful for setting firewall rule or policy base routing.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: Address List use Wildcard FQDN

Mon Aug 02, 2021 5:53 pm

I think it is too late to add that kind of "trick" as "everyone" is switching to DoH and DoT and that makes this impossible.
And of course a lookup of *.example.net to obtain the addresses for the list is impossible.
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Feature Request: Address List use Wildcard FQDN

Mon Aug 02, 2021 5:54 pm

I think it is too late to add that kind of "trick" as "everyone" is switching to DoH and DoT and that makes this impossible.
Unless you block all DoH servers in the firewall :)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Feature Request: Address List use Wildcard FQDN

Mon Aug 02, 2021 6:45 pm

@pe1chl let me explain why you are right and the OP request is real nonsense!!!

If some wildcard are used, just one "dot" for example, RouterOS, for do what you want, must try all valid DNS characters like:
1.google.it, 2.google.it .... a.google.it, b.google.it ... y.google.it, z.google.it
then with one single wildcard characters must do 40 DNS requests.
If added something like "*" wildcard, RouterOS must try from
1.google.it
to
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.google.it
for do that, must do (243 positions with 40 possible values each position = 40^253 =) ~ 2*10^405 of DNS querys

Just 2*10^405 of DNS querys, for each wildcard DNS on address list..
Numbers of atoms on the universe are like 10^82...

very feasable, not?
 
logankuo
just joined
Topic Author
Posts: 4
Joined: Thu Oct 08, 2020 5:47 pm

Re: Feature Request: Address List use Wildcard FQDN

Sat Aug 07, 2021 8:06 am

I think it is too late to add that kind of "trick" as "everyone" is switching to DoH and DoT and that makes this impossible.
And of course a lookup of *.example.net to obtain the addresses for the list is impossible.
DoH maybe a trend. almost device/software start to support it, but not default enable at all now.
I think this feature can useful a long time

@pe1chl let me explain why you are right and the OP request is real nonsense!!!

If some wildcard are used, just one "dot" for example, RouterOS, for do what you want, must try all valid DNS characters like:
1.google.it, 2.google.it .... a.google.it, b.google.it ... y.google.it, z.google.it
then with one single wildcard characters must do 40 DNS requests.
If added something like "*" wildcard, RouterOS must try from
1.google.it
to
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.google.it
for do that, must do (243 positions with 40 possible values each position = 40^253 =) ~ 2*10^405 of DNS querys

Just 2*10^405 of DNS querys, for each wildcard DNS on address list..
Numbers of atoms on the universe are like 10^82...

very feasable, not?
So I find DNS cache or listen DNS reply. I think that is better than brute force.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Feature Request: Address List use Wildcard FQDN

Sat Aug 07, 2021 11:12 am

Usng DNS cache for populate firewall address-list is already possible.
 
logankuo
just joined
Topic Author
Posts: 4
Joined: Thu Oct 08, 2020 5:47 pm

Re: Feature Request: Address List use Wildcard FQDN

Wed Aug 11, 2021 3:29 am

Usng DNS cache for populate firewall address-list is already possible.
Are you mean use script to do this? or ROS feature?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Feature Request: Address List use Wildcard FQDN

Wed Aug 11, 2021 3:36 am

The 1st

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], erlinden and 74 guests