Bypass DNS settings
Hi, I work for a government office, specifically in the IT department, we have a Tp Link TL-WR840N, which has 192.168.18.1 as its ip address, I recently used NextDNS service to block social media websites on the network to avoid employees being unproductive and it works well, but there's a detail I need to talk about. When I open my network adapter settings on my computer and click on the properties tab and then type 8.8.8.8 on my primary dns and 8.8.4.4 as my secondary one, all the sites that I blocked using NextDNS service will open up and successfully access to them. I really don't like the idea that if some users on the network have administrator privileges on their computers can manipulate their network adapters and have the opportunity to insert other dns protocols so they can bypass this service. Any solution to this?
Best regards
6 replies
-
You can't be surprised that changing DNS server is... changing DNS server.
That's just how DNS works.
-
The problem here is users having admin access, do they need permanent admin access? If not then the IT department should engage in a project to identify these users and downgrade their access.
This will solve this and also prevent other problems in future.
If they need temporary admin access to install something then they get on a video call with an admin, who first verifies the software is approved and then they get on a video call where the admin controls the user's computer and does the installation. It's more work but it shouldn't happen too often.
Read up on the principle of least privilege: https://www.paloaltonetworks.com/cyberpedia/what-is-the-principle-of-least-privilege -
First, is correct. Principle of Least Privilege (PoLP) along with Trust No One (Zero Trust) are important principles that should always be enforced, especially as we transition into 2026!
- PoLP
- RULE: Give people only the tools and access they need to do their specific job—and nothing more.
- Example: Users should NOT have the privilege to choose their own DNS servers (like Google or Cloudflare) because that allows them to bypass the security you've set.
- Zero Trust
- RULE: Don't trust anyone or any device by default, even if they are already *inside* the building or connected to the office Wi-Fi. Always verify!
- Example: Even though you have devices on your local network, you should NOT trust that they are sending traffic to the right place. You need network gear that verifies and enforces where that traffic goes (eg: forcing DNS requests to NextDNS) regardless of what the device tries to do.
The TP-Link TL-WR840N is primarily designed for residential use, and its built-in firewall does not currently support the granular access controls required for your situation / environment.
The challenge you're seeing is a standard DNS bypass; it's when a user has the ability to manually configure an external provider (such as Google’s 8.8.8.8) on their device, which effectively circumvents the intended DNS settings and NextDNS protections you desire.
To resolve this, I highly recommend upgrading to more robust networking equipment capable of advanced Port 53 management and more. This would enable you to block unauthorized (rogue) outgoing DNS requests and ensure all traffic is routed through our NextDNS account, or automatically redirect rogue DNS queries back to your secured resolvers.
Along with the PoLP and Zero Trust principles, upgrading the hardware is the only effective way to gain the granular controls necessary for a professional office environment, especially a Government office.
- PoLP
Content aside
- 9 days agoLast active
- 6Replies
- 238Views
-
4
Following