Chrome secure DNS easily bypass NextDNS
Looks like when user goes to Chrome, and explictly select "NextDNS" as secure DNS provider, Chrome will send DoH queries to same DNS server currently using with client name "chromium-default", but without profile name. This makes users really easy to bypass NextDNS.
Is it possible to block such client name in networks that has profiles already attached to it? I understand some mobile network operator or certain ISP uses carrier grade NAT and may not suitable for this situation, but this is more for cases when client has public WAN IP like comcast.
If someone uses DoH (with whatever provider) they can bypass any other DNS settings in the network, and it won't be easily blocked because it's just using Port 443. I'm not sure if Chrome has bootstrap IPs already built-in, otherwise you might be able to block "dns.nextdns.io" (and other DoH servers domains) in your custom settings. And you might also want to block the ports used for other DNS protocols like plaintext DNS or DoT in your network firewall.
Thanks for the reply. Yes, I have already blocked the plain DNS and DoT ports, but have hard time blocking DoH since it is using port 443 . I think Chrome has two Secure DNS settings:
1) Automatic Secure DNS upgrade: This one can be blocked by domain "chromium.dns.nextdns.io" according to Chrome source code
Another hard way to solve this is to setup a proxy to do inspection on traffic and block doh message type, which is not ideal and not good performance.