Better Mikrotik Config to Block YouTube Video

Some Solutions Create New Problems

In my last post I outlined a method for effectively blocking YouTube by throttling the video content servers to speeds so slow that effectively make it unusable. The methodology of this approach was to build two lists of IP Addresses: one of local devices that need to be affected, and one of Google Servers that serve video; then create mangle rules and a Queue Tree to throttle those connections.

After running with that solution for a couple of weeks I discovered that many of the targeted servers also serve data for Google Docs, etc. Thus, this approach ultimately ended up targeting a broader range of servers, and caused other side-effects, such as rendering Google Docs unusable for the affected devices.

After building and documenting that approach, it occurred to me to target the DNS requests directly. Thus, if a server goes by more than one name (definitely something Google is doing), we target only the use-case we desire.

A Simpler Method for Blocking

In thinking through the problem, I realized that targeting the servers by IP address created the problem of overlap, where the same server might serve multiple kinds of data. Indeed Google uses the same servers, identified by different host names, to serve different kinds of data. So a server that serves YouTube video data can (and often does, it turns out) serve Google Docs or Gmail data.

Thus, we have to attack the problem by attacking the host NAME and not IP address. To do that, we have to attack the DNS request, but only for certain workstations.

The New Approach

Basic Outline:

1. Take over all DNS requests for the local LAN
2. Make an Address List of LAN IP Addresses to be affected
3. Create an IP Firewall Layer 7 Protocol regexp to match the potential hostname
4. Create an IP Firewall Filter rule to block these requests

1. Take Over All Local DNS Requests

Setup DNS Server

1. Go to IP->Firewall->DNS
2. At Servers, add your desired upstream DNS servers (8.8.8.8 and 8.8.4.4 if you want to use Google)
3. Check the box "Allow Remote Requests"
4. You can leave all other settings at their default
5. Apply

Tell LAN Computers to Use Your Router for DNS

1. Go to IP->DHCP-Server-Networks
2. Click on the network you are targeting (likely the only one in the list)
3. Remove all DNS Servers in the list, if any
4. Add the IP address of your Mikrotik router

Now you have a DNS server running on your Mikrotik, and you are telling computers on your LAN to use it for DNS. If you have any devices with static IPs & DNS, don't worry, the next step will cover them. You will still want to update those devices, but for the time being they will continue to work.

Intercept All DNS Requests on your LAN, Regardless of DNS Server Setup

1. Go to IP->Firewall->NAT
2. Click Add New
3. Chain: dstnat
4. Protocol: 17 (ump)
5. Dst. Port: 53
6. In Interface: <use your LAN bridge or master port>
7. Action: redirect
8. Comment: DNS Redirect

Now you have told your router to intercept and respond to ALL DNS requests, without exception. Even devices that specify other DNS servers in their interface setups will get their DNS info from your Mikrotik.

2. Make a List of Local IP Addresses

You need to know the IP Addresses of your target LAN devices.

1. Go to: IP->DHCP Server->Leases
2. Click on a device in the list
3. Click Make Static
4. Note the IP Address for each as you go
5. Click Close
6. Repeat for each device

(If you know your way around, you can create a new Pool and assign these devices to this pool, thereby grouping them neatly. Devices will have to refresh their IP to get the new one. For this exercise this is not needed.)

1. Go to: IP->Firewall->Address Lists
2. Click Add New
3. Enter a Name ("Throttle" is what I used)
4. Enter an IP Address from your list from above
5. Click Ok
6. Repeat for each IP Address

Later you can add or remove additional IP Addresses to this list as needed.

3. Create a Layer 7 Protocol Regexp

1. Go to: IP->Firewall->Layer7 Protocols
2. Click Add New
3. Name: googlevideo
4. Regexp: ^.*googlevideo.*
5. Click Ok

4. Create a Firewall Filter Rule to Block

Create the Rule

1. Go to: IP->Firewall->Filter Rules
2. Click Add New
3. Check Enabled
4. Chain: input
5. Scr. Address List: Throttle (or whatever name you used above)
6. Layer7 Protocol: googlevideo
7. Action: drop
8. Comment: googlevideo
9. Click Ok

Move the Rule

1. Still in IP->Firewall->Filter Rules
2. Scroll to the bottom of the list
3. Drag the rule with the label googlevideo to the top of the list

For those who know how firewall rules work, you can move this rule to another location in your firewall rules list. If you have the default set, put it at the top.

That's it. Now your Mikrotik will hijack and server every DNS request on your LAN, mark any request for a googlevideo related domain, check your list of affected IP Addresses, and block the request if the request matches the list. Pretty simple, and very efficient.