/ip dhcp-server network

/ip dns set servers=10.0.0.5

/ip firewall address-list
add address=9.9.9.9 list=allowedDNS
add address=172.30.2.5 list=allowedDNS
add address=172.30.2.1 list=allowedDNS

/ip firewall filter
add action=accept chain=forward dst-address-list=allowedDNS dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=output comment="Accept TCP 53 to allowable DNS" \
    dst-address-list=allowedDNS dst-port=53 protocol=tcp
add action=accept chain=output comment="Block UDP/53 except allowedDNS" \
    dst-address-list=allowedDNS dst-port=53 protocol=udp
add action=drop chain=output dst-address-list=!allowedDNS dst-port=53 protocol=tcp

• dns.google (see documentation)
• cloudflare-dns.com (see documentation)
• use-application-dns.net to tell Firefox not to use DoH (see documentation)

Step 1: Create a local resolver

Get some kind of DNS resolver in your network that is not the router. This is a big step and it's kinda beyond the scope of what I'm writing here. I am a big fan of the pi-hole because I like blocking ads. It also gives you a nice GUI interface for managing DNS block lists and it gives you a database of what domains your network users are visiting. I'll pretend you have installed one and it has IP address 10.0.0.5.

Nowadays, even the SNI field (TLS Host) is often encrypted using ESNI encryption.

This will block a lot of stuff. it's not perfect. There is no perfect solution. It really depends on who your users are, how hard they will try, and how bad it is if they succeed as to how much work you want to put into making it harder and harder.

I know you're asking how to do this with a Mikrotik router, and I'm about to give you a combination Mikrotik/non-Mikrotik solution. So please forgive me. It is not possible to get all the IP addresses of "youtube.com" and just block them. The layer 7 stuff in the router that you're doing works a little, but it is not robust enough. A layer 7 list in the router is hard to manage and it gets messy quickly the more things you decide you want to block. It's really easy to bypass the layer 7 list in the router using DoH (see step 5 at the end), so you have to do more.

Step 1: Create a local resolver

Get some kind of DNS resolver in your network that is not the router. This is a big step and it's kinda beyond the scope of what I'm writing here. I am a big fan of the pi-hole because I like blocking ads. It also gives you a nice GUI interface for managing DNS block lists and it gives you a database of what domains your network users are visiting. I'll pretend you have installed one and it has IP address 10.0.0.5.

NOTE: The only way to do this reasonably is to create a server of some kind (a VM, a Raspberry Pi, etc.), running software on it, and keeping it alive. It becomes your DNS server for your network, so it is critical infrastructure. If it goes down, end users will say "the internet doesn't work" because DNS can't resolve anything. If you can't or won't run a separate DNS resolver for your network, DNS-based blocking (i.e., blocking based on the "domain name") is not something you'll be able to do (step 5 below explains why).

Step 2: Get your local resolver blocking things

Block domains on your DNS filter. E.g., block youtube.com, googlevideo.com, etc. If you don't want to block ads at the pi-hole, you can turn off the ad blocking features and lists. You just block things named on your manually-curated block list. Ad blocking is pretty pervasive and it can sometimes interfere with normal users' stuff. Half the links they click in Google search are ads. So if they're used to searching the internet by using the world's largest internet advertiser, and then clicking one of the top 5 links, which are all advertisements, they'll discover that these top 5 links don't usually work. It depends on your user population and what's behind this router whether ad blocking will be good, bad, or indifferent.

Now, here's where you can test and try things out without disrupting anyone on your network. On a test system you control, like a laptop, manually configure the DNS and tell it to use 10.0.0.5 (or whatever the IP address of your DNS resolver is). Your test system should browse the internet just fine. If you've enabled ad blocking, that one system should see fewer ads. If you've only blocked a few domains, then try visiting those domains and see that they're blocked. Assuming this one test system is behaving as expected (youtube blocked, everything else working fine), keep going.

In Step 3, you switch all the devices on your network so that they will use the new blocking resolver.

Step 3: Get everyone on the network using the local resolver

Step 3 Variation A: Make sure all your DHCP leases give out your DNS resolver (I'm pretending that's 10.0.0.5) as the DNS server. Assuming your Mikrotik router is your DHCP server, set the DNS server using the right options to

Code: Select all

/ip dhcp-server network

. See DHCP documentation). If you do this, the change will take effect gradually, as each device's DHCP lease runs out.

Step 3 Variation B: Instead of (not in addition to) the above, you can give out the router's IP address as the DNS resolver. (This is normal and probably what you do now). Configure the router itself to resolve DNS by going to the pi-hole on 10.0.0.5. E.g.,

Code: Select all

/ip dns set servers=10.0.0.5

. You'll do this instead of having your router resolve DNS via the Internet (upstream ISP). If you do this version, the change is essentially instant and affects everyone. So please test before doing this.

Both variations of of Step 3 are reversible. If you mess up, just put it back how it was before.

At this point, lots of devices will find YouTube blocked, but not all. And it's trivial to bypass. In the same way you tested after step 2, someone else can follow those same steps and opt-out of ad blocking/youtube blocking. If they go to their device, change IP their DNS to point to 9.9.9.9 or 1.1.1.1, they will get unfiltered DNS and they'll get YouTube or other blocked domains.

If you really want to make it hard to avoid your filters, the next two steps are where you go back to the Mikrotik and really commit.

Step 4: block any DNS that is not the local resolver

Step 4 A: Impose IP firewall filters that block UDP to port 53 and TCP to port 53 to an IP address except 10.0.0.5 (or whatever DNS server you run). Note that whatever system you choose (e.g. the pi-hole or some other solution) must be exempted from this rule.

In my network I have:

Code: Select all

/ip firewall address-list
add address=9.9.9.9 list=allowedDNS
add address=172.30.2.5 list=allowedDNS
add address=172.30.2.1 list=allowedDNS

Then I have firewall rules:

Code: Select all

/ip firewall filter
add action=accept chain=forward dst-address-list=allowedDNS dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=output comment="Accept TCP 53 to allowable DNS" \
    dst-address-list=allowedDNS dst-port=53 protocol=tcp
add action=accept chain=output comment="Block UDP/53 except allowedDNS" \
    dst-address-list=allowedDNS dst-port=53 protocol=udp
add action=drop chain=output dst-address-list=!allowedDNS dst-port=53 protocol=tcp

Step 4 B: If the source IP is your DNS resolver (e.g., the pi-hole at 10.0.0.5), it must be allowed to connect to any IP address on port 53 either UDP or TCP. The idea here is that the only way to do DNS on your network is to talk to YOUR DNS server. No others will be reachable.

Caution: If you think users on your network may have manually configured DNS somehow, their device will break when you do this. if they have have manually configured DNS (e.g., to use the world's largest internet advertiser 8.8.8.8 or 8.8.4.4), they will find that the internet suddenly doesn't work. Their system will stop resolving DNS names. Until someone manually fixes the device (making it use your local DNS or use DHCP), the device will be unable to use the internet.

Step 5: Try to block some DNS over HTTPS

We're not done. There's a new way of doing DNS, however, called DNS over HTTP (DoH). Frankly, this is pretty hard to block. The clients will make outbound HTTPS connections on port 443 to some well-known services that provide DNS. Chrome does this by default. This means that when the browser tries to look up "www.youtube.com" it will make an HTTPS connection to a well known cloudflare server (or other server) and it will get the DNS answer. You'll need to block some new domains, just to block DNS over HTTPS. Go back to your pi-hole or whatever DNS resolver you're using for blocking and block at least these 3 domains.

• dns.google (see documentation)
• cloudflare-dns.com (see documentation)
• use-application-dns.net to tell Firefox not to use DoH (see documentation)

At this point, you've done a lot. Only the craftiest people will be able to get around this. It's not bulletproof. I'm sure there are public DoH servers out there other than CloudFlare and Google. If one of your users figures out how to configure their browser to use that DoH resolver, they'll be able to watch YouTube. There are probably some other bypasses possible. But this raises the bar a lot. It will block a lot of YouTube for ordinary users.

Conclusion

This will block a lot of stuff. it's not perfect. There is no perfect solution. It really depends on who your users are, how hard they will try, and how bad it is if they succeed as to how much work you want to put into making it harder and harder.

And Youtube runs over UDP when possible, which "TLS host" does not support.

Good info. I use pihole to block youtube on my network as well, but my pihole servers use unbound so they are not querying external DNS servers. Does that mean I can block all traffic on port 53 on my firewall and what does that look like? Thanks.

Nowadays, even the SNI field (TLS Host) is often encrypted using ESNI encryption.

And Youtube runs over UDP when possible, which "TLS host" does not support.

Good info. I use pihole to block youtube on my network as well, but my pihole servers use unbound so they are not querying external DNS servers. Does that mean I can block all traffic on port 53 on my firewall and what does that look like? Thanks.

Unbound is the name of the software your servers run, not the name of servers that they query. Your unbound servers don't have the entire world's database of IP/name mappings installed. If they are actually able to resolve names to IP addresses, they are definitely querying outside servers. They might not be querying the recursive resolvers that your ISP assigns to you, but they are definitely querying SOMEBODY. Here is a super primitive diagram that kinda shows what happens (a) when your laptop needs to know the IP address of www.youtube.com, (b) it asks your PiHole, and (c) the PiHole has nothing cached, so it has to query everything, and (d) everything works normally as expected. In reality it's much more complicated, but this gets the idea across.
dns-recursion.png

Now, most people don't have a PiHole, so if you're reading this and wondering how it works in YOUR network, since you don't have a PiHole, just change the label from "PiHole" to something else. It might be "Mikrotik Router" in the 'PiHole' column, if your router does DNS resolution for your network. Or it might be "My ISP's DNS server" instead of "PiHole" if you use the DNS server your ISP assigns. Something, somewhere in your network, acts as a "recursive resolver" to do all the chasing of records I showed in that diagram.

I get that, but if unbound isn't using port 53, I can block it on my firewall and prevent users on my network from bypassing my piholes, right?

I get that, but if unbound isn't using port 53, I can block it on my firewall and prevent users on my network from bypassing my piholes, right?

How is unbound getting its DNS data?

YouTube at most delivers the video stream via UDP after you've found the video you want to watch and started playing it. If you can't get the video stream started because you can't reach YouTube's web interface to search and click on things, you won't get to the part of the process where UDP gets involved. You can't start a video using only UDP. You can't search for videos using only UDP. So the fact that some of the packets really late in the conversation are delivered via UDP, which could not be blocked by these DNS/TCP-focused approaches, is irrelevant.

How is unbound getting its DNS data?

That's what I'm trying to understand. Not sure what port it uses by default.

That's what I'm trying to understand. Not sure what port it uses by default.

By default, it works as a caching recursive resolver, which means it will query the root servers, etc... and use port 53 (UDP & TCP). It can also work as forwarder and forwards requests to upstream DNS servers. In that case, DoT (DNS over TLS) can also be used and unbound will use port 853 TCP to communicate with the upstream servers (or other custom ports that those servers might support).

Thanks. Can confirm that the root server queries are on port 53. So for now I have 53 blocked on my firewall for everybody except the piholes.

That is fine, as long as you understand that in today's world that does not do anything.
(because of DoT, DoH and VPN)

Your info are outdated. Look at this Protocol column when loading the front page of YouTube (and see document/text/html on the Type column beside it).

Now, do you know what transport layer HTTP/3 relies on?

I get that. That is news to me a little bit, but I don't understand how it is relevant. That browser is doing UDP connections to youtube. How did the browser resolve youtube.com to an IP address to initiate that UDP stream? If the DNS blocking works and the browser cannot resolve the name youtube.com to a valid IP address, I don't see how the browser makes an HTTP/3 connection via UDP. Assuming the person uses some technology (DoH, VPN, etc.) to bypass the DNS blocking tricks, which means they can resolve the name youtube.com to a valid IP, they'll be able to use HTTP/3 or just good old HTTP/2.

There isn't a situation where HTTP/2 is blocked but HTTP/3 works, is there? Either DNS blocking works and neither HTTP/2 nor HTTP/3 work, or DNS blocking is bypassed and both HTTP/2 and HTTP/3 work fine. What am I missing?

It's now very easy to have secure DNS turned on. Mobile OSes have settings to turn them on at the OS level, same with Windows. Every modern web browser now either use secure DNS by default or have setting to turn that on. So, you just have to assume that DNS blocking is useless against someone who know how to use the search engine for two minutes.

I need to block YouTube as much as possible to minimize access to the platform.

I need to block YouTube as much as possible to minimize access to the platform.

Why?