Mikrotik DNS Server Blocking

mikrotikdnsblock

This project aims to *seriously limit* users from changing DNS settings on their office/home endpoints to circumvent restricted DNS, such as those provided by ADGuardHome, Pi-Hole, or some other dedicated restricted DNS solution.

What this IS:

* A simple solution for preventing the "Office Smart Guy" or the average Googling 12-year-old from changing DNS settings on a workstation, setting "Secure DNS" in Edge/Chrome to an in-browser DoH/DoT client, or other DNS changing app.

What this IS NOT:

* This Gist alone does NOT implement the actual restricted DNS solution.  You must roll that on you own.
* This is not some idiotic attempt/claim to block the IRC/Discord/Reddit Hackerman from proxying their DNS over Gopher to a VPS hosted in Iceland.  We get it.  You're kewl.  Kek.  The target of this solution isn't you and your 1337 H4x0r1ng.

Now, on to how the sausage is made.

ROS Rules for forcing standard DNS to the router's resolver:

/ip firewall nat add action=redirect chain=dstnat protocol=udp dst-port=53 to-ports=53 comment="Block DNS"
/ipv6 firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade DNS" out-interface-list=WAN protocol=udp port=53
/ipv6 firewall nat add action=redirect chain=dstnat protocol=udp port=53 comment="Block DNS"

* TO DO: moving these into the correct place in the firewall

Summary of sites included in the Chromium source:

dnsnl.alekberg.net
*dns.cleanbrowsing.org
doh.cleanbrowsing.org
one.one.one.one
*cloudflare-dns.com
doh.xfinity.com
dot.xfinity.com
dot.cox.net
doh.cox.net
odvr.nic.cz
*dns.sb
*dns.google
*8888.google
public.dns.iij.jp
chromium.dns.nextdns.io
*.opendns.com
dns*.quad9.net
dot.quickline.ch
doh.quickline.ch
doh*.spectrum.com
dns.switch.ch

* The firewall rules, with a best effort to summarize with wildcards:

/ip firewall filter
add action=drop chain=forward comment="Block QUIC" protocol=udp dst-port=443
add action=drop chain=forward comment="Block QUIC" protocol=udp dst-port=80
add action=drop chain=forward comment="Block Google DNS" dst-address=8.8.8.8
add action=drop chain=forward comment="Block Google DNS" dst-address=8.8.4.4
add action=drop chain=forward comment="Block DoH/DoT" protocol=tcp tls-host=*dns*
add action=drop chain=forward comment="Block DoH/DoT" protocol=tcp tls-host=*doh*
add action=drop chain=forward comment="Block DoH/DoT" protocol=tcp tls-host=*dot.*
add action=drop chain=forward comment="Block DoH/DoT" protocol=tcp tls-host=*one.*
add action=drop chain=forward comment="Block DoH/DoT" protocol=tcp tls-host=*odvr.nic.cz*
add action=drop chain=forward comment="Block DoH/DoT" protocol=tcp tls-host=*8888*

/ipv6 firewall filter
add action=drop chain=forward comment="Block QUIC" protocol=udp dst-port=443
add action=drop chain=forward comment="Block QUIC" protocol=udp dst-port=80
add action=drop chain=forward comment="Block Google DNS" dst-address=2001:4860:4860::/48
add action=drop chain=forward comment="Block DoH/DoT" protocol=tcp tls-host=*dns*
add action=drop chain=forward comment="Block DoH/DoT" protocol=tcp tls-host=*doh*
add action=drop chain=forward comment="Block DoH/DoT" protocol=tcp tls-host=*dot.*
add action=drop chain=forward comment="Block DoH/DoT" protocol=tcp tls-host=*one.*
add action=drop chain=forward comment="Block DoH/DoT" protocol=tcp tls-host=*odvr.nic.cz*
add action=drop chain=forward comment="Block DoH/DoT" protocol=tcp tls-host=*8888*

* TO DO: moving these into the correct place in the firewall