DEV Community: ZILL E ALI BUTT The latest articles on DEV Community by ZILL E ALI BUTT (@zilleali12). https://dev.to/zilleali12 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3935016%2Feb601cff-b230-42cd-8622-cd68face2e19.png DEV Community: ZILL E ALI BUTT https://dev.to/zilleali12 en How I blocked all Social Media + DoH/DoT on MikroTik for an ISP network (step-by-step) ZILL E ALI BUTT Sat, 16 May 2026 15:04:54 +0000 https://dev.to/zilleali12/how-i-blocked-all-social-media-dohdot-on-mikrotik-for-an-isp-network-step-by-step-3i82 https://dev.to/zilleali12/how-i-blocked-all-social-media-dohdot-on-mikrotik-for-an-isp-network-step-by-step-3i82 <p>Managing an ISP network means you often need to enforce content policies — whether for a corporate client, a school, or a regulated environment. In this post, I'll walk through exactly how I built a robust social media and app-blocking system on MikroTik RouterOS, including blocking DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) to prevent users from bypassing your filters.</p> <p>This is a real setup I implemented at <strong>FiberX Digital</strong>, where I work as a Junior Network Engineer managing FTTH B2B and B2C infrastructure.</p> <h2> What We're Building </h2> <ul> <li>Block social media platforms (Facebook, Instagram, TikTok, YouTube, Twitter/X, Snapchat, etc.)</li> <li>Block messaging apps (WhatsApp, Telegram, Signal)</li> <li>Force all DNS through your controlled resolver</li> <li>Block DoH and DoT so users can't bypass your DNS filters</li> <li>Use dynamic address lists for easy management</li> </ul> <h2> Prerequisites </h2> <ul> <li>MikroTik router running RouterOS v6.49+ or v7.x</li> <li>Admin access via Winbox or SSH</li> <li>Basic knowledge of MikroTik firewall rules</li> </ul> <h2> Step 1 — Force DNS to Your Router </h2> <p>First, redirect all outbound DNS (port 53) back to your router so no client can use an external resolver directly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/ip firewall nat add <span class="nv">chain</span><span class="o">=</span>dstnat <span class="nv">protocol</span><span class="o">=</span>udp dst-port<span class="o">=</span>53 <span class="nv">action</span><span class="o">=</span>redirect to-ports<span class="o">=</span>53 <span class="nv">comment</span><span class="o">=</span><span class="s2">"Force DNS to router UDP"</span> add <span class="nv">chain</span><span class="o">=</span>dstnat <span class="nv">protocol</span><span class="o">=</span>tcp dst-port<span class="o">=</span>53 <span class="nv">action</span><span class="o">=</span>redirect to-ports<span class="o">=</span>53 <span class="nv">comment</span><span class="o">=</span><span class="s2">"Force DNS to router TCP"</span> </code></pre> </div> <p>Set your router's DNS and disable remote requests if not needed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/ip dns <span class="nb">set </span><span class="nv">servers</span><span class="o">=</span>1.1.1.1,8.8.8.8 allow-remote-requests<span class="o">=</span><span class="nb">yes </span>cache-max-ttl<span class="o">=</span>1d </code></pre> </div> <blockquote> <p><strong>Note:</strong> <code>allow-remote-requests=yes</code> is required for the NAT redirect to work. Lock it down at the firewall level instead (Step 4).</p> </blockquote> <h2> Step 2 — Block DoH (DNS over HTTPS) </h2> <p>DoH runs over port 443 HTTPS, so you can't just block a port. You need to block the known DoH provider IPs using an address list.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/ip firewall address-list add <span class="nv">list</span><span class="o">=</span>doh_servers <span class="nv">address</span><span class="o">=</span>1.1.1.1 <span class="nv">comment</span><span class="o">=</span><span class="s2">"Cloudflare DoH"</span> add <span class="nv">list</span><span class="o">=</span>doh_servers <span class="nv">address</span><span class="o">=</span>1.0.0.1 <span class="nv">comment</span><span class="o">=</span><span class="s2">"Cloudflare DoH"</span> add <span class="nv">list</span><span class="o">=</span>doh_servers <span class="nv">address</span><span class="o">=</span>8.8.8.8 <span class="nv">comment</span><span class="o">=</span><span class="s2">"Google DoH"</span> add <span class="nv">list</span><span class="o">=</span>doh_servers <span class="nv">address</span><span class="o">=</span>8.8.4.4 <span class="nv">comment</span><span class="o">=</span><span class="s2">"Google DoH"</span> add <span class="nv">list</span><span class="o">=</span>doh_servers <span class="nv">address</span><span class="o">=</span>9.9.9.9 <span class="nv">comment</span><span class="o">=</span><span class="s2">"Quad9 DoH"</span> add <span class="nv">list</span><span class="o">=</span>doh_servers <span class="nv">address</span><span class="o">=</span>149.112.112.112 <span class="nv">comment</span><span class="o">=</span><span class="s2">"Quad9 DoH"</span> add <span class="nv">list</span><span class="o">=</span>doh_servers <span class="nv">address</span><span class="o">=</span>94.140.14.14 <span class="nv">comment</span><span class="o">=</span><span class="s2">"AdGuard DoH"</span> add <span class="nv">list</span><span class="o">=</span>doh_servers <span class="nv">address</span><span class="o">=</span>94.140.15.15 <span class="nv">comment</span><span class="o">=</span><span class="s2">"AdGuard DoH"</span> add <span class="nv">list</span><span class="o">=</span>doh_servers <span class="nv">address</span><span class="o">=</span>185.228.168.9 <span class="nv">comment</span><span class="o">=</span><span class="s2">"CleanBrowsing DoH"</span> add <span class="nv">list</span><span class="o">=</span>doh_servers <span class="nv">address</span><span class="o">=</span>76.76.2.0 <span class="nv">comment</span><span class="o">=</span><span class="s2">"ControlD DoH"</span> </code></pre> </div> <p>Now drop traffic to those IPs on port 443:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/ip firewall filter add <span class="nv">chain</span><span class="o">=</span>forward dst-address-list<span class="o">=</span>doh_servers dst-port<span class="o">=</span>443 <span class="nv">protocol</span><span class="o">=</span>tcp <span class="nv">action</span><span class="o">=</span>drop <span class="nv">comment</span><span class="o">=</span><span class="s2">"Block DoH"</span> </code></pre> </div> <h2> Step 3 — Block DoT (DNS over TLS) </h2> <p>DoT uses port 853. This one is easier — just block the port.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/ip firewall filter add <span class="nv">chain</span><span class="o">=</span>forward dst-port<span class="o">=</span>853 <span class="nv">protocol</span><span class="o">=</span>tcp <span class="nv">action</span><span class="o">=</span>drop <span class="nv">comment</span><span class="o">=</span><span class="s2">"Block DoT port 853"</span> add <span class="nv">chain</span><span class="o">=</span>forward dst-port<span class="o">=</span>853 <span class="nv">protocol</span><span class="o">=</span>udp <span class="nv">action</span><span class="o">=</span>drop <span class="nv">comment</span><span class="o">=</span><span class="s2">"Block DoT UDP 853"</span> </code></pre> </div> <h2> Step 4 — Build Dynamic Address Lists for Social Media </h2> <p>Instead of hardcoding IPs (which change), use DNS-based address lists with the MikroTik scripting engine to resolve and populate them automatically.</p> <p>First, create the address lists:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/ip firewall address-list add <span class="nv">list</span><span class="o">=</span>blocked_social <span class="nv">address</span><span class="o">=</span>facebook.com <span class="nv">comment</span><span class="o">=</span><span class="s2">"Facebook"</span> add <span class="nv">list</span><span class="o">=</span>blocked_social <span class="nv">address</span><span class="o">=</span>www.facebook.com add <span class="nv">list</span><span class="o">=</span>blocked_social <span class="nv">address</span><span class="o">=</span>instagram.com add <span class="nv">list</span><span class="o">=</span>blocked_social <span class="nv">address</span><span class="o">=</span>www.instagram.com add <span class="nv">list</span><span class="o">=</span>blocked_social <span class="nv">address</span><span class="o">=</span>tiktok.com add <span class="nv">list</span><span class="o">=</span>blocked_social <span class="nv">address</span><span class="o">=</span>www.tiktok.com add <span class="nv">list</span><span class="o">=</span>blocked_social <span class="nv">address</span><span class="o">=</span>twitter.com add <span class="nv">list</span><span class="o">=</span>blocked_social <span class="nv">address</span><span class="o">=</span>x.com add <span class="nv">list</span><span class="o">=</span>blocked_social <span class="nv">address</span><span class="o">=</span>snapchat.com add <span class="nv">list</span><span class="o">=</span>blocked_social <span class="nv">address</span><span class="o">=</span>youtube.com add <span class="nv">list</span><span class="o">=</span>blocked_social <span class="nv">address</span><span class="o">=</span>www.youtube.com add <span class="nv">list</span><span class="o">=</span>blocked_social <span class="nv">address</span><span class="o">=</span>whatsapp.com add <span class="nv">list</span><span class="o">=</span>blocked_social <span class="nv">address</span><span class="o">=</span>web.whatsapp.com add <span class="nv">list</span><span class="o">=</span>blocked_social <span class="nv">address</span><span class="o">=</span>telegram.org add <span class="nv">list</span><span class="o">=</span>blocked_social <span class="nv">address</span><span class="o">=</span>web.telegram.org add <span class="nv">list</span><span class="o">=</span>blocked_social <span class="nv">address</span><span class="o">=</span>reddit.com add <span class="nv">list</span><span class="o">=</span>blocked_social <span class="nv">address</span><span class="o">=</span>www.reddit.com add <span class="nv">list</span><span class="o">=</span>blocked_social <span class="nv">address</span><span class="o">=</span>linkedin.com add <span class="nv">list</span><span class="o">=</span>blocked_social <span class="nv">address</span><span class="o">=</span>www.linkedin.com add <span class="nv">list</span><span class="o">=</span>blocked_social <span class="nv">address</span><span class="o">=</span>pinterest.com </code></pre> </div> <h2> Step 5 — Use Layer-7 Matchers for SNI-Based Blocking </h2> <p>For HTTPS traffic you need Layer-7 patterns to match the SNI (Server Name Indication) field before TLS is established.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/ip firewall layer7-protocol add <span class="nv">name</span><span class="o">=</span>facebook <span class="nv">regexp</span><span class="o">=</span><span class="s2">"^.+(facebook</span><span class="se">\\</span><span class="s2">.com|fbcdn</span><span class="se">\\</span><span class="s2">.net|fb</span><span class="se">\\</span><span class="s2">.com).*</span><span class="se">\$</span><span class="s2">"</span> add <span class="nv">name</span><span class="o">=</span>instagram <span class="nv">regexp</span><span class="o">=</span><span class="s2">"^.+(instagram</span><span class="se">\\</span><span class="s2">.com|cdninstagram</span><span class="se">\\</span><span class="s2">.com).*</span><span class="se">\$</span><span class="s2">"</span> add <span class="nv">name</span><span class="o">=</span>tiktok <span class="nv">regexp</span><span class="o">=</span><span class="s2">"^.+(tiktok</span><span class="se">\\</span><span class="s2">.com|tiktokv</span><span class="se">\\</span><span class="s2">.com|muscdn</span><span class="se">\\</span><span class="s2">.com).*</span><span class="se">\$</span><span class="s2">"</span> add <span class="nv">name</span><span class="o">=</span>youtube <span class="nv">regexp</span><span class="o">=</span><span class="s2">"^.+(youtube</span><span class="se">\\</span><span class="s2">.com|googlevideo</span><span class="se">\\</span><span class="s2">.com|ytimg</span><span class="se">\\</span><span class="s2">.com).*</span><span class="se">\$</span><span class="s2">"</span> add <span class="nv">name</span><span class="o">=</span>twitter <span class="nv">regexp</span><span class="o">=</span><span class="s2">"^.+(twitter</span><span class="se">\\</span><span class="s2">.com|x</span><span class="se">\\</span><span class="s2">.com|twimg</span><span class="se">\\</span><span class="s2">.com).*</span><span class="se">\$</span><span class="s2">"</span> add <span class="nv">name</span><span class="o">=</span>whatsapp <span class="nv">regexp</span><span class="o">=</span><span class="s2">"^.+(whatsapp</span><span class="se">\\</span><span class="s2">.com|whatsapp</span><span class="se">\\</span><span class="s2">.net).*</span><span class="se">\$</span><span class="s2">"</span> add <span class="nv">name</span><span class="o">=</span>telegram <span class="nv">regexp</span><span class="o">=</span><span class="s2">"^.+(telegram</span><span class="se">\\</span><span class="s2">.org|t</span><span class="se">\\</span><span class="s2">.me).*</span><span class="se">\$</span><span class="s2">"</span> </code></pre> </div> <p>Apply the Layer-7 rules in the forward chain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/ip firewall filter add <span class="nv">chain</span><span class="o">=</span>forward layer7-protocol<span class="o">=</span>facebook <span class="nv">action</span><span class="o">=</span>drop <span class="nv">comment</span><span class="o">=</span><span class="s2">"Block Facebook"</span> add <span class="nv">chain</span><span class="o">=</span>forward layer7-protocol<span class="o">=</span>instagram <span class="nv">action</span><span class="o">=</span>drop <span class="nv">comment</span><span class="o">=</span><span class="s2">"Block Instagram"</span> add <span class="nv">chain</span><span class="o">=</span>forward layer7-protocol<span class="o">=</span>tiktok <span class="nv">action</span><span class="o">=</span>drop <span class="nv">comment</span><span class="o">=</span><span class="s2">"Block TikTok"</span> add <span class="nv">chain</span><span class="o">=</span>forward layer7-protocol<span class="o">=</span>youtube <span class="nv">action</span><span class="o">=</span>drop <span class="nv">comment</span><span class="o">=</span><span class="s2">"Block YouTube"</span> add <span class="nv">chain</span><span class="o">=</span>forward layer7-protocol<span class="o">=</span>twitter <span class="nv">action</span><span class="o">=</span>drop <span class="nv">comment</span><span class="o">=</span><span class="s2">"Block Twitter/X"</span> add <span class="nv">chain</span><span class="o">=</span>forward layer7-protocol<span class="o">=</span>whatsapp <span class="nv">action</span><span class="o">=</span>drop <span class="nv">comment</span><span class="o">=</span><span class="s2">"Block WhatsApp"</span> add <span class="nv">chain</span><span class="o">=</span>forward layer7-protocol<span class="o">=</span>telegram <span class="nv">action</span><span class="o">=</span>drop <span class="nv">comment</span><span class="o">=</span><span class="s2">"Block Telegram"</span> </code></pre> </div> <blockquote> <p><strong>Performance note:</strong> Layer-7 inspection is CPU-intensive. On high-traffic routers (1Gbps+), consider using a dedicated content filter or combining with address-list drops to reduce L7 load.</p> </blockquote> <h2> Step 6 — DNS-Level Blocking (Fastest Method) </h2> <p>The most efficient block is at DNS level. When a client requests facebook.com, your router returns NXDOMAIN or a redirect IP.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/ip dns static add <span class="nv">name</span><span class="o">=</span>facebook.com <span class="nv">address</span><span class="o">=</span>0.0.0.0 <span class="nv">comment</span><span class="o">=</span><span class="s2">"Block Facebook DNS"</span> add <span class="nv">name</span><span class="o">=</span>www.facebook.com <span class="nv">address</span><span class="o">=</span>0.0.0.0 add <span class="nv">name</span><span class="o">=</span>instagram.com <span class="nv">address</span><span class="o">=</span>0.0.0.0 add <span class="nv">name</span><span class="o">=</span>www.instagram.com <span class="nv">address</span><span class="o">=</span>0.0.0.0 add <span class="nv">name</span><span class="o">=</span>tiktok.com <span class="nv">address</span><span class="o">=</span>0.0.0.0 add <span class="nv">name</span><span class="o">=</span>www.tiktok.com <span class="nv">address</span><span class="o">=</span>0.0.0.0 add <span class="nv">name</span><span class="o">=</span>twitter.com <span class="nv">address</span><span class="o">=</span>0.0.0.0 add <span class="nv">name</span><span class="o">=</span>x.com <span class="nv">address</span><span class="o">=</span>0.0.0.0 add <span class="nv">name</span><span class="o">=</span>youtube.com <span class="nv">address</span><span class="o">=</span>0.0.0.0 add <span class="nv">name</span><span class="o">=</span>www.youtube.com <span class="nv">address</span><span class="o">=</span>0.0.0.0 add <span class="nv">name</span><span class="o">=</span>whatsapp.com <span class="nv">address</span><span class="o">=</span>0.0.0.0 add <span class="nv">name</span><span class="o">=</span>web.whatsapp.com <span class="nv">address</span><span class="o">=</span>0.0.0.0 add <span class="nv">name</span><span class="o">=</span>telegram.org <span class="nv">address</span><span class="o">=</span>0.0.0.0 add <span class="nv">name</span><span class="o">=</span>t.me <span class="nv">address</span><span class="o">=</span>0.0.0.0 add <span class="nv">name</span><span class="o">=</span>snapchat.com <span class="nv">address</span><span class="o">=</span>0.0.0.0 add <span class="nv">name</span><span class="o">=</span>reddit.com <span class="nv">address</span><span class="o">=</span>0.0.0.0 add <span class="nv">name</span><span class="o">=</span>pinterest.com <span class="nv">address</span><span class="o">=</span>0.0.0.0 </code></pre> </div> <p>This works because we already forced all DNS through the router in Step 1.</p> <h2> Step 7 — Apply Blocks to Specific IP Ranges Only (Optional) </h2> <p>If you only want to block social media for certain customers (e.g., a B2B client's LAN) and not your entire network:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/ip firewall address-list add <span class="nv">list</span><span class="o">=</span>restricted_clients <span class="nv">address</span><span class="o">=</span>192.168.100.0/24 <span class="nv">comment</span><span class="o">=</span><span class="s2">"Client LAN to restrict"</span> </code></pre> </div> <p>Then modify your drop rules to match the source:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/ip firewall filter add <span class="nv">chain</span><span class="o">=</span>forward src-address-list<span class="o">=</span>restricted_clients dst-address-list<span class="o">=</span>blocked_social <span class="nv">action</span><span class="o">=</span>drop <span class="nv">comment</span><span class="o">=</span><span class="s2">"Block social for restricted clients"</span> </code></pre> </div> <h2> Step 8 — Schedule DNS Refresh Script </h2> <p>MikroTik static DNS entries don't auto-update if CDN IPs change. Run a scheduler to flush and re-resolve periodically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/system scheduler add <span class="nv">name</span><span class="o">=</span>flush-social-dns <span class="nv">interval</span><span class="o">=</span>12h on-event<span class="o">=</span><span class="s2">"/ip dns cache flush"</span> <span class="nv">comment</span><span class="o">=</span><span class="s2">"Flush DNS cache every 12 hours"</span> </code></pre> </div> <h2> Testing Your Setup </h2> <p><strong>Test DNS blocking:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># From a client PC</span> nslookup facebook.com YOUR_ROUTER_IP <span class="c"># Should return 0.0.0.0</span> </code></pre> </div> <p><strong>Test DoT is blocked:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Try resolving via DoT (kdig from knot-resolver)</span> kdig @1.1.1.1 +tls facebook.com <span class="c"># Should time out</span> </code></pre> </div> <p><strong>Test from MikroTik terminal:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/ip firewall filter print stats <span class="c"># Check hit counters on your drop rules</span> </code></pre> </div> <h2> Common Issues &amp; Fixes </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Problem</th> <th>Cause</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td>Social media still works</td> <td>Client using DoH</td> <td>Ensure DoH IPs are in address list and port 443 drop rule is active</td> </tr> <tr> <td>Blocking too much traffic</td> <td>Layer-7 regex too broad</td> <td>Narrow your regexp patterns</td> </tr> <tr> <td>High CPU usage</td> <td>Too many L7 rules</td> <td>Prioritize DNS + address-list blocking, reduce L7 rules</td> </tr> <tr> <td>VPN bypass</td> <td>Client using VPN</td> <td>Block common VPN ports (1194, 1723, 500, 4500) separately</td> </tr> <tr> <td>Mobile apps still work</td> <td>Apps using IP directly</td> <td>Add CDN IP ranges to address list</td> </tr> </tbody> </table></div> <h2> Final Thoughts </h2> <p>A layered approach works best:</p> <ol> <li> <strong>DNS blocking</strong> — fast, low CPU, first line of defense</li> <li> <strong>Address list drops</strong> — catches direct IP access</li> <li> <strong>Layer-7 matching</strong> — catches SNI-based HTTPS</li> <li> <strong>DoH/DoT blocking</strong> — closes the bypass route</li> </ol> <p>No single method is 100% foolproof (determined users can always use VPNs), but this combination covers 95%+ of use cases in a managed ISP or enterprise environment.</p> <h2> About the Author </h2> <p>I'm <strong>Zill Ali</strong>, a Junior Network Engineer at <strong>FiberX Digital Pvt Ltd</strong> in Gujrat, Pakistan, working on FTTH B2B/B2C infrastructure and NOC operations. MTCNA Certified | APNIC BCAP 2026 | Hikvision Certified Installer.</p> <p>🔗 <a href="https://linkedin.com/in/zilleali12" rel="noopener noreferrer">LinkedIn</a> | <a href="https://fiverr.com/zillealibutt" rel="noopener noreferrer">Fiverr</a> | <a href="https://zilleali.com" rel="noopener noreferrer">zilleali.com</a></p> <p><em>Have questions about your MikroTik setup? Drop them in the comments — happy to help!</em></p> mikrotik networking isp firewall