Community discussions

MikroTik App
 
hekep
just joined
Topic Author
Posts: 8
Joined: Thu Sep 15, 2022 10:21 am

Ultimate-Hosts-Blacklist to static DNS

Thu Sep 15, 2022 10:27 am

Hello,

I want to add entire list of black list domains to Mikrotik static DNS.
In the github there is:
https://github.com/Ultimate-Hosts-Blacklist

There is linux install skript
https://github.com/Ultimate-Hosts-Black ... staller.sh

Linux /etc/hosts would look like this:
https://hosts.ubuntu101.co.za/hosts

How to get this into Microtik static DNS? And it would be even better if it would do it overnightly.

I see there these commands:

ip DNS static add address=127.0.0.1 name=pornhub.com
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Ultimate-Hosts-Blacklist to static DNS

Thu Sep 15, 2022 10:49 am

What device you have, and on what RouterOS version?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Ultimate-Hosts-Blacklist to static DNS

Thu Sep 15, 2022 11:44 am

Using DNS will just block some. Many system do use DoH or can setup DoH of VPN and then bypass your block.
So if this are just to block some from accidental hitting unwanted sites, ok.
But to block some from reaching these sites are nearly impossible.
 
hekep
just joined
Topic Author
Posts: 8
Joined: Thu Sep 15, 2022 10:21 am

Re: Ultimate-Hosts-Blacklist to static DNS

Thu Sep 15, 2022 11:53 am

Hello,

I have hEX series.

Firmware is v6.49.6
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Ultimate-Hosts-Blacklist to static DNS

Thu Sep 15, 2022 11:56 am

Ok, hEX have 16M of storage, ~12M are used by RouterOS, and where do you think you can put 24M of DNS names?
(and NO, you CAN NOT use USB or microSD to expand RouterOS DNS static storage)
 
hekep
just joined
Topic Author
Posts: 8
Joined: Thu Sep 15, 2022 10:21 am

Re: Ultimate-Hosts-Blacklist to static DNS

Thu Sep 15, 2022 11:57 am

Using DNS will just block some. Many system do use DoH or can setup DoH of VPN and then bypass your block.
So if this are just to block some from accidental hitting unwanted sites, ok.
But to block some from reaching these sites are nearly impossible.
I do no know about DoH of VPN. As far as I know my kids have no permission to install these things. Over VPN everything is possible. Perhaps block all VPN IP-s too ... :shock:
 
hekep
just joined
Topic Author
Posts: 8
Joined: Thu Sep 15, 2022 10:21 am

Re: Ultimate-Hosts-Blacklist to static DNS

Thu Sep 15, 2022 11:58 am

Ok, hEX have 16M of storage, ~12M are used by RouterOS, and where do you think you can put 24M of DNS names?
My Mikrotik router has MicroSD card. Create symbolic link to mounted Mirco SD card, perhaps (?)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Ultimate-Hosts-Blacklist to static DNS

Thu Sep 15, 2022 11:59 am

(read again my previous post...)

Install??? Just a click on firefox options, and other browser have DoH on default on new versions...
 
hekep
just joined
Topic Author
Posts: 8
Joined: Thu Sep 15, 2022 10:21 am

Re: Ultimate-Hosts-Blacklist to static DNS

Thu Sep 15, 2022 12:13 pm

(read again my previous post...)

Install??? Just a click on firefox options, and other browser have DoH on default on new versions...
Would that mean that all of those 600K+ domains--- Their IP addresses would have to be resolved, and possibly 600K+ ip addresses would have to be banned.

I think Mikrotik cannot handle this lower level blocking.

Eeach package check against 600K+ banlist would kill it.

I still hope there still is DNS way of blocking. There is no bulk way to enter DNS records ( https://linux-sys-adm.com/how-to-make-s ... -mikrotik/ )

Shortest possible way of blocking seems to be using their DNS, notes from https://github.com/Ultimate-Hosts-Black ... .Blacklist:
NOTICE: THIS IS THE RECOMMENDED METHOD FOR WINDOWS USER.
DNS Name safedns.allover.co.za safedns2.allover.co.za
IPv4 88.198.70.38 88.198.70.39
IPv6 2a01:4f8:140:5021::38 2a01:4f8:140:5021::39
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Ultimate-Hosts-Blacklist to static DNS

Thu Sep 15, 2022 12:17 pm

Remember that there are (no joke ...) DoH, DoT, DoQ, DoS, VPN, etc. which make any DNS filter completely useless.
 
hekep
just joined
Topic Author
Posts: 8
Joined: Thu Sep 15, 2022 10:21 am

Re: Ultimate-Hosts-Blacklist to static DNS

Thu Sep 15, 2022 12:24 pm

Remember that there are (no joke ...) DoH, DoT, DoQ, DoS, VPN, etc. which make any DNS filter completely useless.
I see, I just googled to this: https://www.techtarget.com/searchsecuri ... -HTTPS-DoH

I have firefox. By default DoH is not switched on. I ( hopefully ) this can be forced to be switched off, then DNS blocking makes sense.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Ultimate-Hosts-Blacklist to static DNS

Thu Sep 15, 2022 12:27 pm

Only for browsers than manage you directly.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Ultimate-Hosts-Blacklist to static DNS

Thu Sep 15, 2022 12:32 pm


NOTICE: THIS IS THE RECOMMENDED METHOD FOR WINDOWS USER.
DNS Name safedns.allover.co.za safedns2.allover.co.za
IPv4 88.198.70.38 88.198.70.39
IPv6 2a01:4f8:140:5021::38 2a01:4f8:140:5021::39
You need complete access control over the client operating system, something like deploying AD and GP. One can easily change the DNS server.
However, if you do, you don't need these rules anymore. You can use GP to Block any website you want in the browser directly.
If you have devices with other OSs than Windows, you should look at pi-hole, ad-guard, and squid+cert.
Honestly, none of these is ideal for the home. A little pornhub doesn't kill anyone. :d
 
hekep
just joined
Topic Author
Posts: 8
Joined: Thu Sep 15, 2022 10:21 am

Re: Ultimate-Hosts-Blacklist to static DNS

Thu Sep 15, 2022 12:42 pm

By "GP" , you mean group policy : like this: https://techexpert.tips/windows/gpo-blo ... le-chrome/

So I should remove all other browsers from Kid computer... feels like no foolproof solution.

For now I just add those DNS IP to my kid computer.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Ultimate-Hosts-Blacklist to static DNS

Thu Sep 15, 2022 12:46 pm

All the Browsers that I know support such an option.
The only way that you can be sure no one overrides your setting is by denying any change at the OS level.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Ultimate-Hosts-Blacklist to static DNS

Thu Sep 15, 2022 12:58 pm

The more you make something attractive and mysterious, the more someone will look for something about it.

I don't want to teach you morals or how to educate your kid, but in this case,
if you allow me and don't take offense,
you'd better spend time educating your kid than trying to educate the router and other devices.
You will certainly have more gratification.

Sorry again for the personal comment.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Ultimate-Hosts-Blacklist to static DNS

Thu Sep 15, 2022 1:02 pm

Cut power to the building when the kids are home.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Ultimate-Hosts-Blacklist to static DNS

Thu Sep 15, 2022 6:50 pm

I do no know about DoH of VPN. As far as I know my kids have no permission to install these things. Over VPN everything is possible. Perhaps block all VPN IP-s too ... :shock:
There is a thing that you can do. Education.
You can also tell them that you have a good surveillance system that do see everything they do....
 
foresthus
just joined
Posts: 4
Joined: Mon Apr 12, 2021 12:02 am

Re: Ultimate-Hosts-Blacklist to static DNS

Wed Jun 07, 2023 10:42 pm

Hi,

There are at least two other ways to filter with a Mikrotik via DNS security. It doesn't matter which Mikrotik-router you want to use. Other firewall solutions can also partially or fully cover these options. Both options are not free, but they are definitely worth it. Take a look at the alternatives mentioned above and you will be amazed. If you then also install a pihole and add lists from e.g. https://filterlists.com/, which makes the first filtering in advance, possibilities quickly become visible. cu
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Ultimate-Hosts-Blacklist to static DNS

Wed Jun 07, 2023 11:01 pm

One-Click-VPN(™) and bye-bye...

Who is online

Users browsing this forum: JDF and 23 guests