0

How should one deal with overly aggressive blocking?

Hi Fellow NextDNSers,

I have NextDNS in place in multiple locations and do not believe in being it is not my place to restrict end-users via Categories and the Denylist to a point where they may feel I was trying to police their morals. So, for the most part, I block Porn and Piracy only.

While I have many happy end-users  out there, there is one shop that is an outlier. They access the Internet via the same ISP (Shaw) which most of my other clients (work and home) use in Calgary (AB), and everyone is using similar network hardware (so not pfSense type routers).

This one client has issues on some (not all) of their PCs, which feels like NextDNS is not working reliably. I have reset their Chrome browser settings and re-installed the NextDNS app for Windows, etc. There are no fancy static configurations in place, so their "workgroup" computers look and feel like those I look after, elsewhere.

When I allow or deny certain domains in theirNextDNS dashboard (custom configuration), I actually see their endpoints actually responding by blocking access and then allowing it, corresponding to the levers I pull. Sometimes it takes a bit of effort, like rebooting, but essentially this DNS magic works.

So, while it feels like their NextDNS protection is doing what it should... on some of their stock standard workstations, I am getting a bit of pushback. In the clients' words, they expect any site that they do "not regularly" visit to be blocked until I whitelist the corresponding domain.

The issue here is that I don't have to do this for other clients, so this is annoying for them. They would rather not have me whitelist sites so regularly. I can see how the Yellow Pages (YP.CA) could be flagged as a marketing site, but in their case the limitations are a tad heavy handed.

I would like to keep the product intact for obvious reasons, but it is not as simple as saying that I am doing this for the greater good when it I would also not want this infringement in my life. I use the same protection and have similar profile settings and I do not have the drama this client has. My other clients also do not have similar drama!

Since your brain is now smoking... here is another side issue to chew on. What is the point of blocking sites in chromium browsers if clients can copy.paste the URLs into Firefox and pretty much get around NextDNS?

Sorry for the long post — I am looking forward to some actionable feedback.

8 replies

null
    • Hey
    • 1 yr ago
    • Reported - view

    I want to answer your second question first, you can block more than just chrome by using the NextDNS app on Windows, that would override not only the general browser settings and Windows apps but also most VPN apps other than a select few like Hotspot Shield that get around it. You can also use something like (Block Bypass Methods) to reduce the chances of a VPN or another DNS provider taking over. But as is with everything it someone has enough knowledge they can bypass it.

    I've got through my middle schools iBoss (Their Android security solution) many times untill they had a firmware level security where opening the device up would be my only real option as it would block any modifications and rollbacks.

    For your first question though, you can experiment with filters like using OISD and 1HostLite to see how the clients react to that configuration, OISD is nearly perfect but 1HostLite tends to block a few more new domains containing clear Phishing/Malwaretisements but It does cause very very few breakages, so it could be quite the perfect solution but it heavily depends on the type of configuration that the client wants.

    You probably know but I'd enable things like AI threat detection and DDNS Hosts / NRD etc just in case, it isn't perfect but I think the little false positives don't mean much when the AI alone can easily compete and outdo most other DNS services filters/intelligence feeds/security stack and compete with the likes of DNSFilter either having the same or better results purely with AI and outdoing them in full stack security.

    This is how I would approach it as a user though, I use the security options and use OISD/Fanboys Annoyance to have a much better internet experience while personally having no compromises in terms of usability.

    If they want to visit a few sites that use Anti-Adblocking measures, you could also allow some tracking to prevent rare case breakages but it all depends on the ratio of privacy and usability, I'm a bit lazy so my config works perfectly on my behalf.

    • Norman_Atterbury
    • 1 yr ago
    • Reported - view

    Hi Hey,

    I appreciate your thorough reply!

    I always install the "NextDNS for Windows" app on Windows PCs, so I agree with your justification for using the app vs. browser extensions.

    Thanks for your suggestion that I experiment with filters — I have never done this, but I will check this out. This specific client tends to get quite a bit of legitimate marketing emails. In their industry, prolific "trade show" style marketing messaging is very common.

    Besides using filters, would you suggest restricting end-users in this ballpark via Categories? Would it be reasonably safe to allow broad categories (like Porn, Gambling & Piracy)? I wonder if NextDNS's database of known Phishing URLs (with some AI sprinkled in), would suffice?

    They should be okay with some breakages, given what they were experiencing before I REMOVED NextDNS yesterday. They would not want to drop the pursuit against Phishing and Malvertising, altogether.

    -Norman.

      • Hey
      • 1 yr ago
      • Reported - view

      Norman Atterbury For categories, most of them block what they're meant to. They're using AI for other categories than just Malicious domains now so there are a few FPs here and there.

      You could also mix OISD and 1HostLite as they are both light enough for the average user and they would back each other up with new detections.

      1Host does block a few more of url tracking links that are used for email verification mails but they do have a better response to newer threats on questionable sites.

      If you don't get any complaints though, blocking the questionable categories could help as freemium stuff such as Adult/Piracy tend to have the worst cases of bad domains being collected in a single site.

      Overall though, using the security functions and updated filters should be enough as long as they aren't too adventurous with their browsing.

    • Norman_Atterbury
    • 1 yr ago
    • Reported - view

    Hi @hey,

    I appreciate your attention to details, and may post an udate here once I have tinkered somewhat and my client is happy with the results...

    • Norman_Atterbury
    • 1 yr ago
    • Reported - view

    Hi @hey,

    If you don't mind, I have a question about Blocklists — I noticed "NextDNS Ads & Trackers Blocklist" was the only original default blocklist (before commencing any tinkering).

    Assuming I want to add "1Hosts (Lite)" & "oisd" as alternative/extra blocklists — would future troubleshooting be simpler if a single blocklist is associated with a given Configuration Profile (at a given time), or do you tend to pile them up for better efficiency?

      • Hey
      • 1 yr ago
      • Reported - view

      Norman Atterbury I only use OISD personally for the least amount of issues as it's worked for me for more than a year and a half now, giving me the perfect experience that I'd expect. I'm just a user through so it's me and my family using the config so I like it leaner to allow for headroom in terms of what they can visit and not have to let me manually unblock or change things.

      It all depends on the user though and I hadn't seen your message but I've seen the update, if doubling up doesn't get any issues that's great as you always have a backup filter in a case where one isn't updated or doesn't include a site that might otherwise get past with a single filter. Additional redundancy basically, welp great to see that it worked out for your use case.

      • Norman_Atterbury
      • 1 yr ago
      • Reported - view

      Hey Thanks again for your feedback.

      I will keep the OISD (only) option in my back pocket for if/when I get pushback.

    • Norman_Atterbury
    • 1 yr ago
    • Reported - view

    UPDATE — I have not had any complaints after adding "1Hosts (Lite)" & "oisd" to my clients' NextDNS protection profiles, about three weeks ago... so I am going to stick with it.

Content aside

  • 1 yr agoLast active
  • 8Replies
  • 309Views
  • 2 Following