Answer the question
In order to leave comments, you need to log in
How to block https access to sites through Mikrotik using part of the dns name as a mask?
Is there a way to block https access to all sites using the dns part of the name as a mask. Ie, is it necessary to block access to all possible variants (www.example.com, www1.example.com, site.example.com) using "example.com" as "mask"? At the same time, it is known in advance that all these sites that need to be blocked have different IP addresses. At what it is desirable to have several such "masks".
I read the material described here , but the proposed script did not work for me.
I use Mikrotik RB2011L with RouteOS 6.34.4.
I understand that it is possible to install a “transparent” Squid with HTTPS resource filtering on some Linux computer, but I would like, if possible,
Answer the question
In order to leave comments, you need to log in
Another option - if MT is used as a DNS - add
example.com 127.0.0.1
.example.com 127.0.0.1 to static records
Not the most effective and with nuances, but more effective ones have already been written above. :)
PS and there is also a tyndex browser with its "secure" dns, so be careful.
UPD: read the comments. Actually, I do just that with some software that accesses the server by dns name - and this is not always desirable.
DHCP distributes the address of the dns server, pointing to the domain controller, and on it, as a forwarding server, there is a dns server on Mikrotik.
Well, you can try to create an expression in Firewall->Layer 7 ^.+(example.com).*$
Then create a rule in the Firewall blocking forward by selecting the created expression in the Advanced tab of the Layer 7 Protocol item. I block social networks on some computers.
Create regexp with blocked url
/ip firewall layer7-protocol
add name=gvno regexp="^.*(odnoklassniki.ru|odkl.ru|ok.ru|vk.com|vkontakte.ru|vkontakte.com|durov.ru| fb.com|facebook.com).*\$"
Add firewall rule (should be higher than allow rules for forward chain)
/ip firewall filter add action=reject chain=forward layer7-protocol=gvno protocol=tcp reject-with= tcp reset
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question