Hospital WLAN blocks access to internet because of NextDNS

I have set NextDNS on my router and also on my Android 10 smartphone using the recommended settings.

I was lately in a hospital in Munich Germany (Klinikum Großhadern). I logged with my phone in the Guest WLAN network and I was successfully connected. But few seconds later a exclamation mark showed up above the Android WiFi icon. Although I was connected, the internet was not working. I could not visit any web page. 

I figured out that the private DNS setting was the problem, as everyone else except me did have internet on their phones connected to the specific WiFi.

So my question is how does the hospital know that I am using a different DNS server on my phone ? And how can they block my internet access ? 

7replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Fairly trivial to do at the firewall using deep packet inspection. Also, I think Android’s private DNS uses DoT which runs on port 853 so they probably just have that port blocked too. 

      • Devid
      • Software Developer
      • Devid
      • 1 yr ago
      • Reported - view

      Jason Hawkins is this also the case with iPhone when installing with profile. Is it also using DOT? 


      What if in the browser DOH protocol is enabled? Will it then work? 

    • Devid iOS uses DoH which is harder to block since it runs on port 443 but it’s still possible to block via the SNI leaking. For example, the firewall can see dns.nextdns.io or dns1.nextdns.io being connected to and then block it. On a network this locked down, your best bet may be running a VPN on port TCP 443. Possibly UDP 443 (WireGuard) could be done as well but they could be blocking UDP traffic.

      Like 1
  • Corporate networks need to inspect traffic to protect their systems. If traffic is encrypted, they cannot inspect it. Encrypting DNS traffic also means that the corporate network would not be able to perform DNS filtering to ensure malicious sites are not being visited.

    On my network, I run NextDNS on the Router so all outgoing DNS queries are encrypted. However, the router prevents internal DNS queries from being encrypted. It blocks: port 853, all known DoH servers and re-routes port 53 DNS queries to itself to prevent users using another DNS provider.

    Like 1
    • Ian Morris same here as well. You’d be hard pressed to get away with encrypting DNS on my network as my firewall will block port 853, most DoH servers with a target list, and rewrites all port 53 traffic to NextDNS etc. You could get away with running a vpn on 443 but my firewall will catch it pretty quick and I can block from there. Ready for my kids to try me when they’re older lol. 

    • Ian Morris I’m curious how you can block all known DOH servers?  Is someone maintaining a central list, or you just blocking the well known ones?  

    • Calvin Hobbes I run the amazing pfsense router software (by Netgate) for my core routing and I have installed a package called pfblockerng, which performs incoming and outgoing IP filtering. One of its many options to to block DoH servers, the list of which is centrally maintained list which the router downloads every hour.

      Like 1
Like1 Follow
  • 1 yr agoLast active
  • 7Replies
  • 223Views
  • 6 Following