0

Trying to stop client user on the network to circumventing NextDNS server.

Hi, 

I have a registered NextDNS free account. 

I have a working RT-AC86U router already configured to use NextDNS's DNS server filtering service to block websites which are classified as Porn, Gambling, Dating, Piracy, Online gaming. I did not took the route of installing NextDNS via CLI command in my asus router. And the filtering service is working as expected.  [I followed this guide from Reddit: https://www.reddit.com/r/nextdns/comments/x2k8f3/asus_merlin_noncli_configuration_guide/ ]

 However, I am stuck in preventing client user changing the DNS address on the Windows PC, and bypass the filter. 

I came across DNS director on my router's portal, which suppose to force client device who has changed the Windows PC  DNS address (to e.g free Google DNS server = 8.8.8.8), by redirecting all DNS request back to NexDNS's DNS server. 

I followed a guide about Prevent local DNS change from your competitor's website: CleanBrowsing: 

https://cleanbrowsing.org/help/docs/configure-with-merlin-for-asus/

However, I failed to get it working correct . Meaning client user can manipulate his/her own favorite free DNS server on the windows PC and bypass NextDNS' filtering service.   

 

I have submitted the screenshots for your review.

At this stage, would you think DNS director is broken due to software bugs in Auswrt-Merlin firmware?

Thank you.

4 replies

null
    • Wepee
    • 11 mths ago
    • Reported - view

    I forgot to add more screenshots:

    • Martheen
    • 11 mths ago
    • Reported - view

    In your screenshot, you're using Brave. Brave, along with other Chromium-based browsers (Chrome, Edge, Opera, etc) can automatically upgrade to DoH if the OS DNS IP is in their preloaded list. These DoH requests will ignore the router redirection since the router redirection only handles unencrypted DNS.

    To verify, try 

    nslookup pornhub.com 8.8.8.8

    in your terminal. If the router redirection works, it shouldn't resolve (or resolve to 0.0.0.0), however, if you try using dnslookup to query Google DoH such as

    dnslookup pornhub.com https://dns.google/dns-query
    

    it would still resolve because the router redirection can't see it.

    Honestly, it's pointless. Even if you block all alternative DoH addresses, it's trivial to just set the browser's DoH address manually to NextDNS generic address (or their own profile), which you can't block from the router.

      • Wepee
      • 11 mths ago
      • Reported - view

      Martheen Thanks for your reply. 

      First of all, actually there is huge misunderstanding about what I was told of DNS director

      DNS director  = thinking of using this feature to prevent rouge PC which has its DNS settings tamppered (not using NextDNS' DNS severs) accessing the adult website is wrong.  That is not the function of DNS director

      The actual function of the DNS director (used to called DNS filter) is...when it is enabled. It actually overrides the WAN's side DNS settings on the router.  So if the router DNS setting is pointing to: 

       NextDNS DNS servers = 45.90.28.197 & 45.90.30.197 

      and I have DNS director DNS settings pointing to 1.1.1.1, then all the LAN devices will have DNS reply from Cloudflare DNS server. 

      However, within DNS director itself you can specify which devices based on which MAC addresses, that you don't want to use Cloudflare DNS (that is call no redirection)

    • Wepee
    • 11 mths ago
    • Reported - view

    @Martheen

    Please ignore the reply above that I have reported.

    First of all, actually there is huge misunderstanding about what I was told of DNS director (used to be called DNS filter)

    DNS director  = initial thought of using this feature to prevent rouge PC which has its DNS settings tampered (that is not using NextDNS' DNS severs)for the purpose of accessing the restricted website is wrong.  That is not the function of DNS director

    The actual function of the DNS director is...when it is enabled. It actually overrides (take precedent over)  the WAN's side DNS settings on the router.  For example, if the router DNS setting is pointing to: 

     NextDNS DNS servers = 45.90.28.197 & 45.90.30.197 

    and I have DNS director DNS settings pointing to 1.1.1.1, then all the LAN devices will have DNS reply from Cloudflare DNS server. 

    However, within DNS director itself you can specify which devices based on which MAC addresses, that you don't want to use Cloudflare DNS (that is call no redirection) , this means in actual fact, it is the same as some devices can be configured to remain getting DNS reply from NextDNS DNS servers (no change)

    So effectively you can have a group of device getting DNS reply from DNS A and another group of device getting it from DNS B, by using DNS director.

Content aside

  • 11 mths agoLast active
  • 4Replies
  • 342Views
  • 2 Following