SmartTV制造商正在为其电视增加很多便利。我使用电视,IP电视查看DNLA服务器,youtube和skype的内容。作为交换,制造商(这是在下次固件和软件更新后的下一份协议中写的,无法拒绝)希望了解我的外观,外观,启动时间等。我特别“喜欢”远程连接到电视以寻求帮助的功能-这当然很有用,但仍然...如果可能,我试图通过阻止从电视到相应域的数据包来扭曲这些统计信息。作为Mikrotik网关,剪切下是一个脚本,该脚本通过列表中的dns名称限制访问。阻止的域列表不完整;它是从Internet编译的。该脚本还可以用于阻止其他域。脚本参数:- 在脚本的主体中指定了要阻止的域的列表。
您可以通过以正确的形式指定域来阻止域
"msecnd.net";
或所有较高级别的域,表示*
"*.adform.net";
- NameAddressList-AddressList的名称,以后在防火墙规则中使用
该脚本按计划运行-我每分钟有1次。在防火墙中,您需要添加一条规则,以阻止SmartTV访问表单形式的列表(在脚本中,参数NameAddressList指定)中的域。chain=forward action=reject reject-with=icmp-network-unreachable src-address=192.168.100.123 dst-address-list=BlockSpySmartTV log=no log-prefix="BlockSpySmartTV: "
192.168.100.123-电视的地址。运作方式:- 首次访问域后-相应的IP地址落入Mikrotik缓存中
- 该脚本检查缓存,如果匹配,则使用TTL阻止相应的IP地址,以免阻塞列表。如果TTL = 0,则TTL = 59秒。
- 防火墙中的相应规则将阻止将数据包发送到该IP地址。
事实证明,在解析域后的1分钟内(以我为例),该IP地址将被阻止。打开电视一分钟后-大约有两个打乱的IP地址。它发生的更多。观察被阻止的域半个小时,发现:在路由器上创建的负载(处于错误级别)没有注意到增加。脚本本身:local NameAddressList "BlockSpySmartTV"
:local DNSDomains {
"*.samsungelectronics.com";
"*.samsungcloudsolution.com";
"*.samsungcloudsolution.net";
"*.samsungcloudsolution.com";
"*.samsungrm.net";
"*.samsungotn.net";
"*.samsungosp.com";
"*.internetat.tv";
"*.samsungyosemite.com";
"*.cloudfront.net";
"*.google-analytics.com";
"*.googletagservices.com";
"*.googlesyndication.com";
"*.amazonaws.com";
"*.krxd.net";
"*.cloudapp.net";
"*.doubleclick.net";
"*.xiti.com";
"*.pavv.co.kr";
"*.adform.net";
"msecnd.net";
}
:local QuantDNSDomains [:len $DNSDomains]
:for iDNSDomain from=0 to=($QuantDNSDomains-1) do={
:local CurrentDNSDomain (:put ($DNSDomains->($iDNSDomain)))
:log debug " CurrentDNSDomain:'$CurrentDNSDomain'"
:local prfx [:pick $CurrentDNSDomain 0 1];
:log debug " prfx:'$prfx'"
:if ($prfx != "*") do={
:foreach i in=[/ip dns cache all find where (name~$CurrentDNSDomain ) ] do={
:local cacheName [/ip dns cache get $i name] ;
:local tmpAddress [:resolve $cacheName]
:log debug " cacheName :'$cacheName' tmpAddress:'$tmpAddress'"
delay delay-time=10ms
:if ( [/ip firewall address-list find where address=$tmpAddress] = "") do={
:local cacheName [/ip dns cache get $i name] ;
:local cacheNameTTL [/ip dns cache get $i ttl] ;
:log debug " cacheNameTTL: $cacheNameTTL "
:if ( $cacheNameTTL < "00:00:59" ) do={
:set cacheNameTTL "00:00:59"
:log debug " SET cacheNameTTL: $cacheNameTTL "
}
:log warning (" added entry: dns-name: $cacheName ip-addr:$tmpAddress ttl:$cacheNameTTL ");
/ip firewall address-list add address=$tmpAddress list=$NameAddressList comment=$cacheName timeout=$cacheNameTTL ;
}
}
} else {
:set CurrentDNSDomain [:pick $CurrentDNSDomain 1 [:len $CurrentDNSDomain] ];
:foreach i in=[/ip dns cache all find where (name~$CurrentDNSDomain ) ] do={
:local cacheName [/ip dns cache get $i name] ;
:local tmpAddress [:resolve $cacheName]
:log debug " cacheName :'$cacheName' tmpAddress:'$tmpAddress'"
delay delay-time=10ms
:if ( [/ip firewall address-list find where address=$tmpAddress] = "") do={
:local cacheNameTTL [/ip dns cache get $i ttl] ;
:log debug " cacheNameTTL: $cacheNameTTL "
:if ( $cacheNameTTL < "00:00:59" ) do={
:set cacheNameTTL "00:00:59"
:log debug " SET cacheNameTTL: $cacheNameTTL "
}
:log debug (" CurrentDNSDomain: '$CurrentDNSDomain' added entry: dns-name: $cacheName ip-addr:$tmpAddress ttl:$cacheNameTTL ");
/ip firewall address-list add address=$tmpAddress list=$NameAddressList comment=$cacheName timeout=$cacheNameTTL ;
}
}
}
}
更新2017.06.13在RouterOS 6.36版本发布之后-可以通过dns名称而不是IP地址进行阻止。该脚本已重做。github.com/ErshovSergey/Mikrotik_update_AddressList_ip的当前状态