Hello,

I am building a private DNS server using Mikrotik with remote requests enabled.

My clients are connected to my server from the WAN port and they are not on the same network ( Not local clients ).

So, aside from the IP Address because it changes everytime the client reboots the router, is there a way to detect the client device to block it ?

being a remote client means that the client device src-mac is not real and the Mikrotik is reading its gateway mac-address so I can't use the src-mac,
but I was thinking if it's possible to detect something unique on the packet level and applying a L7 pattern to detect it ?

What's the point? Try to share more details.

If it's some non-public domain, you could do some filtering on that. But then I'd expect also internal addresses and there would have to be some VPN to access them, so just use it for accessing DNS server too.

If it's resolver for regular public domains, e.g. because clients can't trust resolvers provided by their ISPs, you couldn't identify who is asking, if it's allowed client or someone else. But ISP doing something bad with their local DNS could as well do the same with other requests, so you'd probably also want something to prevent it, like VPN.

Yes, sounds like a self made work project with not direction or real purpose. I think the thread was started by ChatGPT

Most likely not, but I can't wait until spammers discover that it would be perfect for generating hard to detect not-clearly-nonsense posts to establish their presence.

What's the point? Try to share more details.

If it's some non-public domain, you could do some filtering on that. But then I'd expect also internal addresses and there would have to be some VPN to access them, so just use it for accessing DNS server too.

If it's resolver for regular public domains, e.g. because clients can't trust resolvers provided by their ISPs, you couldn't identify who is asking, if it's allowed client or someone else. But ISP doing something bad with their local DNS could as well do the same with other requests, so you'd probably also want something to prevent it, like VPN.

Well, I have devices that supposed to connect to none public domains, something like d1.zonex.srv which should be only available for specific devices, we also need these devices to not connect to any domains but the ones we allow to prevent some pre- installed apps from shearing our private data.

Unfortunately, the devices firmware doesn't have any VPN client and we can't install any because they are source closed and they are not under our control to be managed by a firewall, so the only way to achieve this is to connect these devices to our DNS server that will resolve the d1.zonex.srv to the right address and block the unwanted apps.

In short, our service will be available only for those who use our DNS server which ensures the unwanted apps are blocked.

We already achieved this, but it will be nice bounce if we could do something like making a specific domain works only for a specific device.

Based on my information, this is not possible since the client device won't send anything unique to the DNS server, but idk if the incoming requests contain something like user agent that i can use a L7 pattern to match them.

I know user agent are not unique and can be changed but in our case we are dealing with a devices that never change the user agent and the variety of the devices models and firmware versions will narrow the possibility of having identical user agents on our server.

Regular DNS doesn't have anything like user agent. You can use e.g. Wireshark to check what's in packets, but in short, nothing you could use. But you could use L7 to match queries for .srv TLD:

> it will be nice bounce if we could do something like making a specific domain works only for a specific device.<
You can do this, in case you can install a special service (i.e. DNS-server or DNS-forwarder; router) in the location of your "specifc device". To catch the mac.