Community discussions

 
haldepoorter
just joined
Topic Author
Posts: 6
Joined: Fri Feb 28, 2014 4:45 pm

Adding certain DNS answers to an address list, switch mode!

Mon Mar 10, 2014 1:41 pm

Hello,

I'm looking for solution to read DNS traffic, and reroute it before the client receives the answer (or if not possible: adding it to an address list to reroute next time)
But here's the thing: it has to be done as a "switch", so all packages have to pass as if the microtik wasn't there, except those packages i want to reroute. (no dhcp, natting, redirects,...)

So i'm using a mikrotik 450G
WAN on eth 3.
client on eth 2, "switched" to eth 3.

Let's say i want to reroute netflix.com. So if a dns request for netflix passes, the answer has to be read and the ip address added to an address list.
Then i can do with those adresses what i want.

I've tried it with adding a firewall rule to redirect all udp traffic containing"netflix" to port 53, and then run a script which adds it from the dns cache list.
This works, but i need to be able to do it without the firewall rule.

Is there a way i can read/save the dns cache without firewall rules? Or is there an other way to get these dns answers into an address list?
If yes, can i trigger my script on DNS traffic that passes?
this is my script:
:foreach i in=[/ip dns cache find] do={

   :local name [/ip dns cache get $i name];

:if ([:find $name "netflix"] > -1) do={
      :local address [/ip dns cache get $i address];
#      :log info $address;
      /ip firewall address-list add address=$address list=netflix comment=$name;               
    }
}
Thanks!!
 
User avatar
NAB
Trainer
Trainer
Posts: 503
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

Re: Adding certain DNS answers to an address list, switch mo

Mon Mar 10, 2014 2:45 pm

it has to be done as a "switch"
This is not possible.
Any traffic travelling from port to port where those ports are set to switch will not travel through the CPU and so therefore cannot be subject to any rules.
There is a way of doing what you require by using a bridge. Create a bridge. Put the two ports in the bridge and enable 'use IP firewall' on the bridge. Now all the traffic passes through the bridge (and therefore through the CPU) and you can run whatever rules you like on it.
Nicholas Barnes BSc(hons)
Certified Mikrotik Consultant
Certified Mikrotik Trainer

Vitell - Asterisk, Linux and network consultants
Unofficial IRC channel: #routerboard on irc.z.je
 
haldepoorter
just joined
Topic Author
Posts: 6
Joined: Fri Feb 28, 2014 4:45 pm

Re: Adding certain DNS answers to an address list, switch mo

Mon Mar 10, 2014 3:50 pm

Ok, so i need to use a bridge. makes sense.
But still i need to find a way to read the dns request/answer and i need to be able to save the answers.
Any ideas on that part? :)

Thanks!
 
User avatar
NAB
Trainer
Trainer
Posts: 503
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

Re: Adding certain DNS answers to an address list, switch mo

Wed Mar 12, 2014 12:46 pm

Any ideas on that part? :)
I guess I'd have to ask what it is you're trying to achieve.
Nicholas Barnes BSc(hons)
Certified Mikrotik Consultant
Certified Mikrotik Trainer

Vitell - Asterisk, Linux and network consultants
Unofficial IRC channel: #routerboard on irc.z.je
 
haldepoorter
just joined
Topic Author
Posts: 6
Joined: Fri Feb 28, 2014 4:45 pm

Re: Adding certain DNS answers to an address list, switch mo

Thu Apr 10, 2014 3:03 pm

I'll try to be more specific. :)
I want to be able to let certain client requests go through a vpn ipsec tunnel to another server so that the content can be accessed from there.
Example:
The client surfs to a page (eg www.amazon.com), amazon is not reachable from in the office, so i want to read the dns request that passes trough the mikrotik, (because the dns-resolve does passes) and add that ip-address (which i get from the resolved answer) to an amazon address list. Then i can use that address list to force all traffic to amazon.com through a vpn ipsec tunnel to another server not in office from where amazon is reachable.

Does that make more sense?

Who is online

Users browsing this forum: No registered users and 63 guests