Hi all,
I tried to search but I quite can't get what I need.
I have a client, a church, which offers WiFi and would like to block any "dubious" traffic on that network for obvious reasons.
My idea is to set the Static DNS Forwarder on the Mikrotik to something like AdGuard Family Shield or the likes, the mikrotik provides dhcp therefore any client joining will use these IPs. However, upn trying this only works in Firefox on mobile, as I believe Chrome browsers have now this Secure DNS feature turned on, I have disabled that, same thing.
Therefore, I then thought, I could make a rule on the WiFi VLAN, to block DNS requests going to UDP 53, but how can I redirect and force to only use this DNS IPs?
Any ideas or suggestion? Perhaps I am tackling this from the wrong angle.
Thanks
P
Re: How to force filter DNS
That will not fully work anymore, as more and more devices use DoH and DoT to "work around" such admin intervention.
Also, users use "VPN services" to work around it.
Also, users use "VPN services" to work around it.
-
-
helpfulunderneath
just joined
- Posts: 5
- Joined:
Re: How to force filter DNS
Well that makes sense, however I did run some test on the following config and it works as expected, I tested with the Chrome Private DNS and also the iPhone Private IP mode.That will not fully work anymore, as more and more devices use DoH and DoT to "work around" such admin intervention.
Also, users use "VPN services" to work around it.
Obviously I cannot enforce to block client VPNs as ports might vary for that.
The NAT rule is the main thing as a catch-all queries, if this shouldn't work, why does it work?
Code: Select all
# OpenDNS Family Shield Upstream DNS
/ip/dns/print
servers: 208.67.222.123,208.67.222.123
# NAT rule to forward DNS queries to itself
/ip/firewall/nat/add action=redirect chain=dstnat protocol=udp ds
t-port=53 in-interface=bridge-vlan103 comment="Redirect DNS to FW"
/ip/firewall/nat/add action=redirect chain=dstnat protocol=tcp ds
t-port=53 in-interface=bridge-vlan103 comment="Redirect DNS to FW"
# added the OpenDNS to the DHCP Server
ip/dhcp-server/network/print
Columns: ADDRESS, GATEWAY, DNS-SERVER, DOMAIN
;;; VLAN103 DHCP
1 10.0.3.0/24 10.0.3.1 208.67.222.123
Re: How to force filter DNS
Because the client is using 1) DNS servers supplied through DHCP or 2) public DNS servers that are intercepted by the rules.The NAT rule is the main thing as a catch-all queries, if this shouldn't work, why does it work?
As soon as the client uses DoH or DoT (as @pe1chl mentioned), the requests aren't intercepted and your approach will be useless. Basically because other ports are used (and not port 53).
-
-
reinerotto
Long time Member
- Posts: 523
- Joined:
Re: How to force filter DNS
Your solution just is the basics. As other users pointed out here, there are possibilities to circumvent your "half baked" solution.
However, up to a certain high degree all the arguments against your solution can be taken care of, with some additional work.
I.e. DoT uses special port, to be closed. This is the simplest activity, to improve your solution a bit. But some more are required, of course.
However, in case, there is a churchgoer having his own, private VPN listening on port 443, on MT level you are beaten.
However, up to a certain high degree all the arguments against your solution can be taken care of, with some additional work.
I.e. DoT uses special port, to be closed. This is the simplest activity, to improve your solution a bit. But some more are required, of course.
However, in case, there is a churchgoer having his own, private VPN listening on port 443, on MT level you are beaten.