Community discussions

MikroTik App
 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

DNS query resolved IPs only for some clients

Sat Jul 30, 2022 11:18 pm

Hello everyone
So I have some clients in my network that they use VPNs like Psiphon which connect over ports like 443 and 80 which I cannot block and also their like of servers are a lot so I cannot monitor and block the server IPs one by one. So I was wondering if there is a way to block all the IPs for those clients except the ones resolved from DNS server (my router is the internal DNS server for the clients) so in this way client send a DNS query request for mikrotik.com and the answer is IP 449.459.459.555 and they can communicate with this IP cause it was came from a DNS query request reply but if the same client want to communicate with IP 567.564.510.945 they can't because it wasn't a DNS query request reply.
Is it possible :) ?
Thank you very much for any help
Last edited by jaxed8 on Mon Aug 01, 2022 6:37 am, edited 1 time in total.
 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

Re: Limit Dst IPs of few LAN device

Mon Aug 01, 2022 4:01 am

I use pi-hole and unbound
Last edited by jaxed8 on Mon Aug 01, 2022 6:39 am, edited 1 time in total.
 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

Re: DNS query resolved IPs only for some clients

Mon Aug 01, 2022 6:38 am

Any idea?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: DNS query resolved IPs only for some clients

Mon Aug 01, 2022 8:08 am

Is it possible :) ?
It is possible but useless. If you redirect any DNS queries towards port 53 on any IP address to the PiHole, the clients can still use DoH (DNS over HTTPS) to do their queries.
 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

Re: DNS query resolved IPs only for some clients

Tue Aug 02, 2022 2:07 am

Is it possible :) ?
It is possible but useless. If you redirect any DNS queries towards port 53 on any IP address to the PiHole, the clients can still use DoH (DNS over HTTPS) to do their queries.
@sindy
Yeah, but not all of them know how to set it up.

I use these set of rules to block them but I know it won't work for DoH (I use it mostly to block cellphones DNS Failover).

add action=drop chain=forward comment=\
"BLOCK OTHER DNS SERVERS with bypass option" dst-address=!192.168.1.111 \
dst-address-list="!Bypass DNS blocking" port=53 protocol=tcp \
src-address-list="!Bypass DNS blocking"
add action=drop chain=forward dst-address=!192.168.1.111 dst-address-list=\
"!Bypass DNS blocking" port=53 protocol=udp src-address-list=\
"!Bypass DNS blocking"
add action=accept chain=forward comment="BLOCK OTHER DNS SERVERS with bypass opt\
ion (To make sure the above rules are tight and filtering (blocking) all the\
\_packets)" dst-address=1.1.1.1 port=53 protocol=udp src-address-list=\
"Bypass DNS blocking"
add action=accept chain=forward dst-address=1.0.0.1 port=53 protocol=udp \
src-address-list="Bypass DNS blocking"
add action=accept chain=forward dst-address-list="Bypass DNS blocking" port=53 \
protocol=udp src-address=1.1.1.1
add action=accept chain=forward dst-address-list="Bypass DNS blocking" port=53 \
protocol=udp src-address=1.0.0.1
add action=drop chain=forward dst-address-list="!Bypass DNS blocking" port=53 \
protocol=tcp src-address=!192.168.11.111
add action=drop chain=forward dst-address=!192.168.1.111 port=53 protocol=tcp \
src-address-list="!Bypass DNS blocking"
add action=drop chain=forward dst-address-list="!Bypass DNS blocking" port=53 \
protocol=udp src-address=!192.168.11.111
add action=drop chain=forward dst-address=!192.168.1.111 port=53 protocol=udp \
src-address-list="!Bypass DNS blocking"
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: DNS query resolved IPs only for some clients

Tue Aug 02, 2022 2:25 am

@sindy
Yeah, but not all of them know how to set it up.
Set it up???
Is the new default on browsers, final users are required to be dummy and do not do nothing...
Google & Co. give their best to get their hands on the DNS,
and no one protests with the stupid flag of privacy...
Pot calling the kettle black...
 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

Re: DNS query resolved IPs only for some clients

Wed Aug 03, 2022 1:41 am

I know but just stopping them from connecting to the VPN servers is enough that's why I'm looking for a solution.
 
jaxed8
Member Candidate
Member Candidate
Topic Author
Posts: 195
Joined: Tue Jul 27, 2021 8:25 pm

Re: DNS query resolved IPs only for some clients

Wed Aug 03, 2022 6:41 pm

@Sindy
You said it is possible, any hint/guide for me on have to implement it?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: DNS query resolved IPs only for some clients

Wed Aug 03, 2022 8:41 pm

/ip firewall nat
add chain=dstnat in-interface=the-client-facing-one protocol=udp dst-port=53 action=dst-nat to-addresses=ip.of.pi.hole
add chain=dstnat in-interface=the-client-facing-one protocol=tcp dst-port=53 action=dst-nat to-addresses=ip.of.pi.hole


this will work if the pihole is in another subnet than the clients, which is a preferred configuration; otherwise look for hairpin NAT here on the forum.

Who is online

Users browsing this forum: apitsos, menyarito, stef70, synchro and 54 guests