DEV Community

ZILL E ALI BUTT
ZILL E ALI BUTT

Posted on • Originally published at zilleali.com

How I blocked all Social Media + DoH/DoT on MikroTik for an ISP network (step-by-step)

#mikrotik #networking #isp #firewall

Managing an ISP network means you often need to enforce content policies — whether for a corporate client, a school, or a regulated environment. In this post, I'll walk through exactly how I built a robust social media and app-blocking system on MikroTik RouterOS, including blocking DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) to prevent users from bypassing your filters.

This is a real setup I implemented at FiberX Digital, where I work as a Junior Network Engineer managing FTTH B2B and B2C infrastructure.

What We're Building

  • Block social media platforms (Facebook, Instagram, TikTok, YouTube, Twitter/X, Snapchat, etc.)
  • Block messaging apps (WhatsApp, Telegram, Signal)
  • Force all DNS through your controlled resolver
  • Block DoH and DoT so users can't bypass your DNS filters
  • Use dynamic address lists for easy management

Prerequisites

  • MikroTik router running RouterOS v6.49+ or v7.x
  • Admin access via Winbox or SSH
  • Basic knowledge of MikroTik firewall rules

Step 1 — Force DNS to Your Router

First, redirect all outbound DNS (port 53) back to your router so no client can use an external resolver directly.

/ip firewall nat
add chain=dstnat protocol=udp dst-port=53 action=redirect to-ports=53 comment="Force DNS to router UDP"
add chain=dstnat protocol=tcp dst-port=53 action=redirect to-ports=53 comment="Force DNS to router TCP"
Enter fullscreen mode Exit fullscreen mode

Set your router's DNS and disable remote requests if not needed:

/ip dns
set servers=1.1.1.1,8.8.8.8 allow-remote-requests=yes cache-max-ttl=1d
Enter fullscreen mode Exit fullscreen mode

Note: allow-remote-requests=yes is required for the NAT redirect to work. Lock it down at the firewall level instead (Step 4).

Step 2 — Block DoH (DNS over HTTPS)

DoH runs over port 443 HTTPS, so you can't just block a port. You need to block the known DoH provider IPs using an address list.

/ip firewall address-list
add list=doh_servers address=1.1.1.1 comment="Cloudflare DoH"
add list=doh_servers address=1.0.0.1 comment="Cloudflare DoH"
add list=doh_servers address=8.8.8.8 comment="Google DoH"
add list=doh_servers address=8.8.4.4 comment="Google DoH"
add list=doh_servers address=9.9.9.9 comment="Quad9 DoH"
add list=doh_servers address=149.112.112.112 comment="Quad9 DoH"
add list=doh_servers address=94.140.14.14 comment="AdGuard DoH"
add list=doh_servers address=94.140.15.15 comment="AdGuard DoH"
add list=doh_servers address=185.228.168.9 comment="CleanBrowsing DoH"
add list=doh_servers address=76.76.2.0 comment="ControlD DoH"
Enter fullscreen mode Exit fullscreen mode

Now drop traffic to those IPs on port 443:

/ip firewall filter
add chain=forward dst-address-list=doh_servers dst-port=443 protocol=tcp action=drop comment="Block DoH"
Enter fullscreen mode Exit fullscreen mode

Step 3 — Block DoT (DNS over TLS)

DoT uses port 853. This one is easier — just block the port.

/ip firewall filter
add chain=forward dst-port=853 protocol=tcp action=drop comment="Block DoT port 853"
add chain=forward dst-port=853 protocol=udp action=drop comment="Block DoT UDP 853"
Enter fullscreen mode Exit fullscreen mode

Step 4 — Build Dynamic Address Lists for Social Media

Instead of hardcoding IPs (which change), use DNS-based address lists with the MikroTik scripting engine to resolve and populate them automatically.

First, create the address lists:

/ip firewall address-list
add list=blocked_social address=facebook.com comment="Facebook"
add list=blocked_social address=www.facebook.com
add list=blocked_social address=instagram.com
add list=blocked_social address=www.instagram.com
add list=blocked_social address=tiktok.com
add list=blocked_social address=www.tiktok.com
add list=blocked_social address=twitter.com
add list=blocked_social address=x.com
add list=blocked_social address=snapchat.com
add list=blocked_social address=youtube.com
add list=blocked_social address=www.youtube.com
add list=blocked_social address=whatsapp.com
add list=blocked_social address=web.whatsapp.com
add list=blocked_social address=telegram.org
add list=blocked_social address=web.telegram.org
add list=blocked_social address=reddit.com
add list=blocked_social address=www.reddit.com
add list=blocked_social address=linkedin.com
add list=blocked_social address=www.linkedin.com
add list=blocked_social address=pinterest.com
Enter fullscreen mode Exit fullscreen mode

Step 5 — Use Layer-7 Matchers for SNI-Based Blocking

For HTTPS traffic you need Layer-7 patterns to match the SNI (Server Name Indication) field before TLS is established.

/ip firewall layer7-protocol
add name=facebook regexp="^.+(facebook\\.com|fbcdn\\.net|fb\\.com).*\$"
add name=instagram regexp="^.+(instagram\\.com|cdninstagram\\.com).*\$"
add name=tiktok regexp="^.+(tiktok\\.com|tiktokv\\.com|muscdn\\.com).*\$"
add name=youtube regexp="^.+(youtube\\.com|googlevideo\\.com|ytimg\\.com).*\$"
add name=twitter regexp="^.+(twitter\\.com|x\\.com|twimg\\.com).*\$"
add name=whatsapp regexp="^.+(whatsapp\\.com|whatsapp\\.net).*\$"
add name=telegram regexp="^.+(telegram\\.org|t\\.me).*\$"
Enter fullscreen mode Exit fullscreen mode

Apply the Layer-7 rules in the forward chain:

/ip firewall filter
add chain=forward layer7-protocol=facebook action=drop comment="Block Facebook"
add chain=forward layer7-protocol=instagram action=drop comment="Block Instagram"
add chain=forward layer7-protocol=tiktok action=drop comment="Block TikTok"
add chain=forward layer7-protocol=youtube action=drop comment="Block YouTube"
add chain=forward layer7-protocol=twitter action=drop comment="Block Twitter/X"
add chain=forward layer7-protocol=whatsapp action=drop comment="Block WhatsApp"
add chain=forward layer7-protocol=telegram action=drop comment="Block Telegram"
Enter fullscreen mode Exit fullscreen mode

Performance note: Layer-7 inspection is CPU-intensive. On high-traffic routers (1Gbps+), consider using a dedicated content filter or combining with address-list drops to reduce L7 load.

Step 6 — DNS-Level Blocking (Fastest Method)

The most efficient block is at DNS level. When a client requests facebook.com, your router returns NXDOMAIN or a redirect IP.

/ip dns static
add name=facebook.com address=0.0.0.0 comment="Block Facebook DNS"
add name=www.facebook.com address=0.0.0.0
add name=instagram.com address=0.0.0.0
add name=www.instagram.com address=0.0.0.0
add name=tiktok.com address=0.0.0.0
add name=www.tiktok.com address=0.0.0.0
add name=twitter.com address=0.0.0.0
add name=x.com address=0.0.0.0
add name=youtube.com address=0.0.0.0
add name=www.youtube.com address=0.0.0.0
add name=whatsapp.com address=0.0.0.0
add name=web.whatsapp.com address=0.0.0.0
add name=telegram.org address=0.0.0.0
add name=t.me address=0.0.0.0
add name=snapchat.com address=0.0.0.0
add name=reddit.com address=0.0.0.0
add name=pinterest.com address=0.0.0.0
Enter fullscreen mode Exit fullscreen mode

This works because we already forced all DNS through the router in Step 1.

Step 7 — Apply Blocks to Specific IP Ranges Only (Optional)

If you only want to block social media for certain customers (e.g., a B2B client's LAN) and not your entire network:

/ip firewall address-list
add list=restricted_clients address=192.168.100.0/24 comment="Client LAN to restrict"
Enter fullscreen mode Exit fullscreen mode

Then modify your drop rules to match the source:

/ip firewall filter
add chain=forward src-address-list=restricted_clients dst-address-list=blocked_social action=drop comment="Block social for restricted clients"
Enter fullscreen mode Exit fullscreen mode

Step 8 — Schedule DNS Refresh Script

MikroTik static DNS entries don't auto-update if CDN IPs change. Run a scheduler to flush and re-resolve periodically:

/system scheduler
add name=flush-social-dns interval=12h on-event="/ip dns cache flush" comment="Flush DNS cache every 12 hours"
Enter fullscreen mode Exit fullscreen mode

Testing Your Setup

Test DNS blocking:

# From a client PC
nslookup facebook.com YOUR_ROUTER_IP
# Should return 0.0.0.0
Enter fullscreen mode Exit fullscreen mode

Test DoT is blocked:

# Try resolving via DoT (kdig from knot-resolver)
kdig @1.1.1.1 +tls facebook.com
# Should time out
Enter fullscreen mode Exit fullscreen mode

Test from MikroTik terminal:

/ip firewall filter print stats
# Check hit counters on your drop rules
Enter fullscreen mode Exit fullscreen mode

Common Issues & Fixes

Problem Cause Fix
Social media still works Client using DoH Ensure DoH IPs are in address list and port 443 drop rule is active
Blocking too much traffic Layer-7 regex too broad Narrow your regexp patterns
High CPU usage Too many L7 rules Prioritize DNS + address-list blocking, reduce L7 rules
VPN bypass Client using VPN Block common VPN ports (1194, 1723, 500, 4500) separately
Mobile apps still work Apps using IP directly Add CDN IP ranges to address list

Final Thoughts

A layered approach works best:

  1. DNS blocking — fast, low CPU, first line of defense
  2. Address list drops — catches direct IP access
  3. Layer-7 matching — catches SNI-based HTTPS
  4. DoH/DoT blocking — closes the bypass route

No single method is 100% foolproof (determined users can always use VPNs), but this combination covers 95%+ of use cases in a managed ISP or enterprise environment.

About the Author

I'm Zill Ali, a Junior Network Engineer at FiberX Digital Pvt Ltd in Gujrat, Pakistan, working on FTTH B2B/B2C infrastructure and NOC operations. MTCNA Certified | APNIC BCAP 2026 | Hikvision Certified Installer.

🔗 LinkedIn | Fiverr | zilleali.com

Have questions about your MikroTik setup? Drop them in the comments — happy to help!

Top comments (0)