Community discussions

MikroTik App
 
User avatar
ploquets
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Filter Content in Firewall with DOT (.) in string

Fri Sep 03, 2021 3:44 am

Hello

I want to match DNS content with the content filter in advanced firewall rule tab.

But when I use with some dot, like,
example.com
it stops to match the string.
Sometimes it matches, but much less than normal scenario.

If I tried to use regex, like
example\.com
things get even worse.

Do someone know how to use dot in content filtering?
Last edited by ploquets on Sat Sep 04, 2021 2:21 am, edited 2 times in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Filter Content in Firewall with DOT (.) in string

Fri Sep 03, 2021 4:57 pm

It doesn't work because the dot symbol is not actually present in the DNS query - the FQDNs are encoded in a rather complicated way, see the RFC for DNS for details. There are multiple topics regarding this here on the forum, e.g, this post gives you a hint.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Filter Content in Firewall with DOT (.) in string

Fri Sep 03, 2021 5:18 pm

For non-dns traffic you could try example\\.com
 
User avatar
ploquets
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Re: Filter Content in Firewall with DOT (.) in string

Sat Sep 04, 2021 2:49 am

It doesn't work because the dot symbol is not actually present in the DNS query - the FQDNs are encoded in a rather complicated way, see the RFC for DNS for details. There are multiple topics regarding this here on the forum, e.g, this post gives you a hint.
When I try to use the example from the thread you linked, its not working as well.
Maybe there is difference between using L7 Filters and Content Filter
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Filter Content in Firewall with DOT (.) in string

Sat Sep 04, 2021 3:28 am

Content filter parameter can be only a string, and on dns packet the dot do "not exist".
Understand this?


Layer7 filter can be a POSIX RegEx like (I do not write that filter!!!...)
^.?.?.?.?[\x01\x02].?.?.?.?.?.?[\x01-?][a-z0-9][\x01-?a-z]*[\x02-\x06][a-z][a-z][a-z]?[a-z]?[a-z]?[a-z]?[a-z]?[a-z]?[a-z]?[a-z]?[a-z]?[a-z]?[a-z]?[\x01-\x10\x1C][\x01-\x04\xFF]


TLS host matcher can be a POSIX RegEx like
(^|\.)youtube\.com$
 
User avatar
ploquets
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Re: Filter Content in Firewall with DOT (.) in string

Mon Sep 06, 2021 10:09 pm

Content filter parameter can be only a string, and on dns packet the dot do "not exist".
Understand this?
So what that means? Should I use space instead of dot ?
Last edited by ploquets on Thu Sep 09, 2021 10:25 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Filter Content in Firewall with DOT (.) in string

Mon Sep 06, 2021 10:22 pm

As @sindy already answer you on post #2 (!)
Inside the dns packet the dot between fields do not exist (like the dot in www.youtube.com)
Exist only if the field is exactly 46 characters long like:

³www .this-string-have-a-lenght-fourtysix-characters ³com

And the space exist only if a field with exactly 32 characters exist, like:

³www (space)string-with-lenght-of-thirty-two ³com

i have used the ³ sign because the character wit hex code 03 is not representable.
HEX 3 = ETX (Ctrl-C) END OF TEXT
Last edited by rextended on Mon Sep 06, 2021 10:27 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Filter Content in Firewall with DOT (.) in string

Mon Sep 06, 2021 10:27 pm

No. You have to use a byte whose value is the length of the subsequent part of the domain name, example:

\08somename\03com

I don't remember the encoding of byte values exactly, I just remember it differs between regexp (used in layer7 rules) and contents. Check the manual.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Filter Content in Firewall with DOT (.) in string  [SOLVED]

Mon Sep 06, 2021 10:31 pm

You have already wrote how are encoded, but on winbox you can not insert special characters like the character "\08", but can be added on CLI like:
add action=log chain=prerouting content="\03www\06google\03com"
 
User avatar
ploquets
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Re: Filter Content in Firewall with DOT (.) in string

Thu Sep 09, 2021 10:28 pm

No. You have to use a byte whose value is the length of the subsequent part of the domain name, example:
\08somename\03com


But is it "\x08" or only "\08" ?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Filter Content in Firewall with DOT (.) in string

Thu Sep 09, 2021 10:29 pm

(duplicate)
Last edited by rextended on Thu Sep 09, 2021 10:32 pm, edited 1 time in total.
 
User avatar
ploquets
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Re: Filter Content in Firewall with DOT (.) in string

Thu Sep 09, 2021 10:29 pm

Check the manual.

Which manual do you reffer?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Filter Content in Firewall with DOT (.) in string

Thu Sep 09, 2021 10:33 pm

Read my example on my previous post #9
viewtopic.php?f=2&t=178151#p877609
 
User avatar
ploquets
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Re: Filter Content in Firewall with DOT (.) in string

Thu Sep 09, 2021 10:39 pm

add action=log chain=prerouting content="\03www\06google\03com"
OOWWW I see, when I tried to insert using terminal, the code gets different when viewing in winbox.
Got it.
Last edited by ploquets on Fri Sep 10, 2021 2:27 am, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Filter Content in Firewall with DOT (.) in string

Thu Sep 09, 2021 10:40 pm

You understand why now ;)
but on winbox you can not insert special characters like the character "\08", but can be added on CLI
On all regex field and on terminal, RouterOS support only \1F hexadecimal characters rapresentation,
with hexadecimal letters uppercase and without the "x" (like wrong \x1F for RouterOS)

But you can use 0x for hexadecimal numbers on scripts, like:
:put (1 + 0x1F)
32
 
User avatar
ploquets
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Re: Filter Content in Firewall with DOT (.) in string

Fri Sep 10, 2021 2:42 am

You understand why now ;)
but on winbox you can not insert special characters like the character "\08", but can be added on CLI
On all regex field and on terminal, RouterOS support only \1F hexadecimal characters rapresentation,
with hexadecimal letters uppercase and without the "x" (like wrong \x1F for RouterOS)

But you can use 0x for hexadecimal numbers on scripts, like:
:put (1 + 0x1F)
32

How can I match content with hex DNS flags ?
like 0x8105 which means Refused ?

only contents="\8105" ?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Filter Content in Firewall with DOT (.) in string

Fri Sep 10, 2021 2:50 am

please explain, i do not have understand what you want do.

0x8105 are two bytes, 0x81 and 0x05
the conversion is "\81\05", but if on the field on the packet is on reverse order is "\05\81"
 
User avatar
ploquets
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Re: Filter Content in Firewall with DOT (.) in string

Fri Sep 10, 2021 3:09 am

please explain, i do not have understand what you want do.

0x8105 are two bytes, 0x81 and 0x05
the conversion is "\81\05", but if on the field on the packet is on reverse order is "\05\81"
Trying to achieve the objective to drop responses with DNS Refused, as RFC1035 inform us.

The code is suposed to be 5
https://www.rfc-editor.org/rfc/rfc1035#section-4.1.1 -> see page 27

I see this 0x81 in some anti DDoS systems, like NSFocus. I guess is because (see page 26,27):

8 = RA
Recursion Available - this be is set or cleared in a response, and denotes whether recursive query support is available in the name server.

1 = QR
A one bit field that specifies whether this message is a query (0), or a response (1).

But I don't know if I am correct.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Filter Content in Firewall with DOT (.) in string

Fri Sep 10, 2021 3:14 am

RA is not 8, is th 8th bit set to 1
IS too late to explain better, but the 2 BYTEs are
10000000 10000101 = 80 85
 
User avatar
ploquets
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Re: Filter Content in Firewall with DOT (.) in string

Fri Sep 10, 2021 3:19 am

RA is not 8, is th 8th bit set to 1
IS too late to explain better, but the 2 BYTEs are
10000000 10000101 = 80 85
I'm trying to understand how to block this messages:
https://routley.io/posts/hand-writing-dns-messages/

This blog kinda helps.
 
User avatar
ploquets
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Re: Filter Content in Firewall with DOT (.) in string

Sat Sep 24, 2022 10:24 pm

@rextended
Can you please help me how to match DNS answers which has QTYPE (query type) = 255 (FF in HEX) ?

I've tried to match with content="\00\f\f" but this is not working.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Filter Content in Firewall with DOT (.) in string

Sun Sep 25, 2022 4:20 am

why \f\f ??

\f\f = \0f \0f

FF is \ff


QTYPE 255 is \00\FF and on reverse order \FF\00

Who is online

Users browsing this forum: GoogleOther [Bot], lurker888, tangent and 58 guests