Community discussions

MikroTik App
 
User avatar
ahmedramze
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Mon Feb 21, 2005 9:29 am
Location: IRAQ
Contact:

family Cloudflare pornography block

Tue Apr 25, 2023 3:11 pm

Hello.

below setting for pornography block and adds also way to using the DOH Dns over HTTPs.

this for beginner how to ,

1- you need to use only Mikrotik DNS , and block all access to any DNS request if clients change them DNS.
the input interface its ether1 and local network 192.168.88.0/24 for this example.

Redirect all DNS to mikrotik.
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether1 src-address=192.168.88.0/24
add action=redirect chain=dstnat dst-port=53 protocol=udp
blocking all incoming request for DNS attack if there is public IP on ether1 to avoid DDoS. also ping to public address only for IPs we allowed via Green list IP.

GREEN LIST IPS
if you want remove google DNS in case if you want to block access it
/ip firewall address-list
add address=8.8.8.0/24 list=GREEN
add address=1.1.1.0/24 list=GREEN
add address=192.168.88.0/24 list=GREEN
and this block filters
 
/ip firewall filter
add action=drop chain=input icmp-options=8:0-255 in-interface=ether1 protocol=icmp src-address-list=!GREEN
add action=drop chain=input dst-port=53 protocol=udp src-address-list=!GREEN
add action=drop chain=input dst-port=53 protocol=tcp src-address-list=!GREEN

 


now for test if step 2 not done and there is no IP DNS in Mikrotik ,
there is no page will open or sites DNS translation , its mean all firewall setup OK we can move to step 2


2-Setting the Cloudflare DNS

Cloudflare they have three DNS
1.1.1.1 for normal DNS without any blocking.
1.1.1.2 Block malware
1.1.1.3 Block malware and adult content

setting the Mikrotik DNS without DOH this for Block malware and adult content
/ip dns
set allow-remote-requests=yes  servers=1.1.1.3
setting the Mikrotik DNS with DOH this for Block malware and adult content

Same of. normal DNS Cloudflare they have three DOH
 https://cloudflare-dns.com/dns-query 
for normal DNS without any blocking.
 https://security.cloudflare-dns.com/dns-query 
Block malware
 https://family.cloudflare-dns.com/dns-query 
Block malware and adult content

before add DOH we need to import DNS ROOT certification
/tool fetch url="https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem"
 /certificate import file-name=DigiCertGlobalRootCA.crt.pem
 then press enter for passphrase
 
now for normal DOH example
/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
for Block malware and adult content
/ip dns set  servers=1.1.1.3 use-doh-server=https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes

Tested and work 100% but my issues how to block and DOH or DOT request from users they can by pass DNS blocking via use DNS. over HTTPS.

Who is online

Users browsing this forum: Bing [Bot], emunt6, Florian, menyarito, stef70 and 83 guests