How should one deal with overly aggressive blocking?
Hi Fellow NextDNSers,
I have NextDNS in place in multiple locations and do not believe in being it is not my place to restrict end-users via Categories and the Denylist to a point where they may feel I was trying to police their morals. So, for the most part, I block Porn and Piracy only.
While I have many happy end-users out there, there is one shop that is an outlier. They access the Internet via the same ISP (Shaw) which most of my other clients (work and home) use in Calgary (AB), and everyone is using similar network hardware (so not pfSense type routers).
This one client has issues on some (not all) of their PCs, which feels like NextDNS is not working reliably. I have reset their Chrome browser settings and re-installed the NextDNS app for Windows, etc. There are no fancy static configurations in place, so their "workgroup" computers look and feel like those I look after, elsewhere.
When I allow or deny certain domains in theirNextDNS dashboard (custom configuration), I actually see their endpoints actually responding by blocking access and then allowing it, corresponding to the levers I pull. Sometimes it takes a bit of effort, like rebooting, but essentially this DNS magic works.
So, while it feels like their NextDNS protection is doing what it should... on some of their stock standard workstations, I am getting a bit of pushback. In the clients' words, they expect any site that they do "not regularly" visit to be blocked until I whitelist the corresponding domain.
The issue here is that I don't have to do this for other clients, so this is annoying for them. They would rather not have me whitelist sites so regularly. I can see how the Yellow Pages (YP.CA) could be flagged as a marketing site, but in their case the limitations are a tad heavy handed.
I would like to keep the product intact for obvious reasons, but it is not as simple as saying that I am doing this for the greater good when it I would also not want this infringement in my life. I use the same protection and have similar profile settings and I do not have the drama this client has. My other clients also do not have similar drama!
Since your brain is now smoking... here is another side issue to chew on. What is the point of blocking sites in chromium browsers if clients can copy.paste the URLs into Firefox and pretty much get around NextDNS?
Sorry for the long post — I am looking forward to some actionable feedback.
I want to answer your second question first, you can block more than just chrome by using the NextDNS app on Windows, that would override not only the general browser settings and Windows apps but also most VPN apps other than a select few like Hotspot Shield that get around it. You can also use something like (Block Bypass Methods) to reduce the chances of a VPN or another DNS provider taking over. But as is with everything it someone has enough knowledge they can bypass it.
I've got through my middle schools iBoss (Their Android security solution) many times untill they had a firmware level security where opening the device up would be my only real option as it would block any modifications and rollbacks.
For your first question though, you can experiment with filters like using OISD and 1HostLite to see how the clients react to that configuration, OISD is nearly perfect but 1HostLite tends to block a few more new domains containing clear Phishing/Malwaretisements but It does cause very very few breakages, so it could be quite the perfect solution but it heavily depends on the type of configuration that the client wants.
You probably know but I'd enable things like AI threat detection and DDNS Hosts / NRD etc just in case, it isn't perfect but I think the little false positives don't mean much when the AI alone can easily compete and outdo most other DNS services filters/intelligence feeds/security stack and compete with the likes of DNSFilter either having the same or better results purely with AI and outdoing them in full stack security.
This is how I would approach it as a user though, I use the security options and use OISD/Fanboys Annoyance to have a much better internet experience while personally having no compromises in terms of usability.
If they want to visit a few sites that use Anti-Adblocking measures, you could also allow some tracking to prevent rare case breakages but it all depends on the ratio of privacy and usability, I'm a bit lazy so my config works perfectly on my behalf.
I appreciate your thorough reply!
I always install the "NextDNS for Windows" app on Windows PCs, so I agree with your justification for using the app vs. browser extensions.
Thanks for your suggestion that I experiment with filters — I have never done this, but I will check this out. This specific client tends to get quite a bit of legitimate marketing emails. In their industry, prolific "trade show" style marketing messaging is very common.
Besides using filters, would you suggest restricting end-users in this ballpark via Categories? Would it be reasonably safe to allow broad categories (like Porn, Gambling & Piracy)? I wonder if NextDNS's database of known Phishing URLs (with some AI sprinkled in), would suffice?
They should be okay with some breakages, given what they were experiencing before I REMOVED NextDNS yesterday. They would not want to drop the pursuit against Phishing and Malvertising, altogether.
If you don't mind, I have a question about Blocklists — I noticed "NextDNS Ads & Trackers Blocklist" was the only original default blocklist (before commencing any tinkering).
Assuming I want to add "1Hosts (Lite)" & "oisd" as alternative/extra blocklists — would future troubleshooting be simpler if a single blocklist is associated with a given Configuration Profile (at a given time), or do you tend to pile them up for better efficiency?