0

So the kids are bypassing dns protection

If you enable Https over TLS in firefox, it uses cloudflare and gets around all protection

I already blocked alternative dns servers and forced dns on ip4 but theyre now using this in firefox to get around it (doh and DOT)

 

How do i ensure the uses cant bypass dns and its forced to NextDNS?

I also have an openwrt router but 9 time sout of 10 im baffled by it,

4replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Since Firefox has it's own "ignore your OS settings" options for DNS, certificates, etc, I think the only way you can achieve that is either nuking Firefox or configuring it in a way that prevents edits.  If "the kids" have local admin rights to the computer, that's moot.

    Like 1
  • router options i have a fully configurable openwrt 

    Like
  • In C:\Program Files\Mozilla Firefox\defaults\pref create autoconfig.js

    with code

    pref("general.config.filename", "firefox.cfg");
    pref("general.config.obscure_value", 0);

    then create in C:\Program Files\Mozilla Firefox\ file firefox.cfg

    with code

    //the first line is always a comment
    lockPref("network.trr.mode", 3);
    lockPref("network.trr.uri", "https://dns.nextdns.io/HEREYOURID/Firefox");
    lockPref("network.trr.custom_uri", "https://dns.nextdns.io/HEREYOURID/Firefox");
    lockPref("network.trr.bootstrapAddress", "1.1.1.1");
    lockPref("network.dns.skipTRR-when-parental-control-enabled", false);
    lockPref("network.trr.enable_when_nrpt_detected", true);
    lockPref("network.trr.enable_when_proxy_detected", true);
    lockPref("network.trr.enable_when_vpn_detected", true);
    lockPref("network.proxy.socks_remote_dns", true);

    Do not forget to replace the line with the address with your own, where there is a mark HEREYOURID

    Block these files from being modified. Now Firefox will always use NextDNS =) But there is still an option to bypass this through the portable version of the browser.

    Here C:\Windows\System32\drivers\etc in hosts

    write strings:

    0.0.0.0 dns.cloudflare.com
    :: dns.cloudflare.com
    0.0.0.0 security.cloudflare-dns.com
    :: security.cloudflare-dns.com
    0.0.0.0 family.cloudflare-dns.com
    :: family.cloudflare-dns.com
    0.0.0.0 dns.google
    :: dns.google

    You can also block all third-party DNS servers on the router, but even so, children can use NextDNS through portable Firefox without filtering. So if you have a goal of an iron wall for children, then you need some kind of kaspersky internet security with password-locked settings to restrict access to the network for all applications except those you approved.

    But even then your children can bypass the lock through the LiveCD of some Linux, so you also need to block UEFI Bios from changing the boot partition by setting a password on the settings. It all depends on the technical literacy of your children. :)

    Like 1
  • Well all dns is dropped, so regular dns changes dont work, i can set the pc to 1.1.1.1 and it doesnt work.

    DHCP is set to nextdns and forced

    The https dns is the problem, on phones and tablets and without jumping ont heir pc every 5 minutes to change the registry (non domain joined).

    I got around it by Installing banip, and luci web front end ont he openwrt router, added the list of DoH IP's from below, firefox no longer works, it drops back to regular dns which is filtered.

    https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOHipv4.txt

    Like
Like Follow
  • 3 mths agoLast active
  • 4Replies
  • 240Views
  • 3 Following