So the kids are bypassing dns protection
If you enable Https over TLS in firefox, it uses cloudflare and gets around all protection
I already blocked alternative dns servers and forced dns on ip4 but theyre now using this in firefox to get around it (doh and DOT)
How do i ensure the uses cant bypass dns and its forced to NextDNS?
I also have an openwrt router but 9 time sout of 10 im baffled by it,
In C:\Program Files\Mozilla Firefox\defaults\pref create autoconfig.js
pref("general.config.filename", "firefox.cfg"); pref("general.config.obscure_value", 0);
then create in C:\Program Files\Mozilla Firefox\ file firefox.cfg
//the first line is always a comment lockPref("network.trr.mode", 3); lockPref("network.trr.uri", "https://dns.nextdns.io/HEREYOURID/Firefox"); lockPref("network.trr.custom_uri", "https://dns.nextdns.io/HEREYOURID/Firefox"); lockPref("network.trr.bootstrapAddress", "184.108.40.206"); lockPref("network.dns.skipTRR-when-parental-control-enabled", false); lockPref("network.trr.enable_when_nrpt_detected", true); lockPref("network.trr.enable_when_proxy_detected", true); lockPref("network.trr.enable_when_vpn_detected", true); lockPref("network.proxy.socks_remote_dns", true);
Do not forget to replace the line with the address with your own, where there is a mark HEREYOURID
Block these files from being modified. Now Firefox will always use NextDNS =) But there is still an option to bypass this through the portable version of the browser.
Here C:\Windows\System32\drivers\etc in hosts
0.0.0.0 dns.cloudflare.com :: dns.cloudflare.com 0.0.0.0 security.cloudflare-dns.com :: security.cloudflare-dns.com 0.0.0.0 family.cloudflare-dns.com :: family.cloudflare-dns.com 0.0.0.0 dns.google :: dns.google
You can also block all third-party DNS servers on the router, but even so, children can use NextDNS through portable Firefox without filtering. So if you have a goal of an iron wall for children, then you need some kind of kaspersky internet security with password-locked settings to restrict access to the network for all applications except those you approved.
But even then your children can bypass the lock through the LiveCD of some Linux, so you also need to block UEFI Bios from changing the boot partition by setting a password on the settings. It all depends on the technical literacy of your children. :)
Well all dns is dropped, so regular dns changes dont work, i can set the pc to 220.127.116.11 and it doesnt work.
DHCP is set to nextdns and forced
The https dns is the problem, on phones and tablets and without jumping ont heir pc every 5 minutes to change the registry (non domain joined).
I got around it by Installing banip, and luci web front end ont he openwrt router, added the list of DoH IP's from below, firefox no longer works, it drops back to regular dns which is filtered.