1

Protonvpn and IPVanish are not being blocked by NextDNS

I enabled Block Bypass Methods under Parental Controls in NextDNS and tested it with IPVanish a few months ago. IPVanish couldn't connect with this feature enabled. I enabled Block Bypass Methods to prevent my teenager from defeating Parental Controls in NextDNS. 

I challenged him today to defeat my Parental Controls (today was the first day I actually put him on the network that is using NextDNS for DNS servers and is blocked from being able to specify any non-NextDNS DNS servers. He fired up ProtonVPN and defeated my Parental Controls in literally 2 minutes. For a second I thought that Block Bypass Methods must not have been enabled under Parental Controls in the NextDNS account, but then I logged in and this setting  were enabled. ProtonVPN is a free VPN service in North America of which I haven't heard before at all. I just googled a review on this service, and it gets glowing reviews from multiple sources. It's a legit VPN service that is completely free and the speed I got on it was pretty good (200 Mbps down and close to 100 Mbps up). 

Then, I thought maybe ProtonVPN is doing something extraordinary to defeat the Block Bypass Methods setting enabled in NextDNS. So, I tried IPVanish (paid service), and it was able to connect. I know for a fact I had tested this before and consistently wasn't able to connect with IPVanish before. 

What happened and why is the Block Bypass Methods setting no longer blocking VPN services? This makes the entire NextDNS concept useless. My 13-year-old son defeated NextDNS Parental Controls in 2 minutes. 

11 replies

null
    • sirozha
    • 8 mths ago
    • Reported - view

    Moreover, Checkpoint Endpoint Security VPN client is connecting to my work without a problem with Block Bypass Methods enabled. It didn't use to be able to connect either. So, VPN used to be blocked by this feature enabled, but VPN is no longer blocked. 

    I did check (when I log in to my account in NextDNS) that NextDNS is used as my DNS server before I fire up a VPN client. Then, the page reports that I'm using DNS by a different provider (depending on the VPN service I connect to). So, NextDNS basically tells me that my VPN services defeat the NextDNS' Block Bypass Methods protection.

    What's happening here? 

    • TheAliDev
    • 8 mths ago
    • Reported - view

    VPN and dns are different in uses

    Proton VPN don't change dns and most VPN's don't

    Block bypass method is for restrict a user change DNS

    VPN is use to change IP , not country

    Did you try to use custom dns without common knowledge ??

      • sirozha
      • 8 mths ago
      • Reported - view

        do you even realize that you have no understanding of the issue being raised here? I doubt you do. 
       

      You can’t go on specialized forums like this one and post utter nonsense without having the slightest clue about the subject matter. 

    • Will_Tisdale
    • 8 mths ago
    • Reported - view

    I just did a quick test and both the IPVanish and ProtonVPN domains are blocked by Block Bypass Methods for me, as well as any other random VPN or DNS provider that I try to access.

    Probably asking the obvious here, are you sure your configuration is correct?

      • sirozha
      • 8 mths ago
      • Reported - view

       

      I’m not sure my configuration is correct. 

      I’m sure that the client uses NextDNS, of which I see confirmation in the NextDNS portal’s Setup tab that I’m using the NextDNS DNS servers. I am also sure that the Block Bypass Methods setting is enabled.
       

      And I’m also sure that I can connect to IPVansh and ProtonVPN. When I connect through one of these VPNs, the message in the NextVPNs Setup tab shows that my DNS provider changes to a different DNS provider.
       

      What could be misconfigured to allow VPNs besides the Block Bypass Methods  setting? 
       

      Thank you. 

      • Will_Tisdale
      • 8 mths ago
      • Reported - view

       perhaps other DNS server entries on the client? 

      Try running https://www.dnsleaktest.com - that will tell you if there's any other DNS servers configured.

      • sirozha
      • 8 mths ago
      • Reported - view

        

      The ipvanish.com and protonvpn.com domains are blocked, but the ProtonVPN client connects despite the host being configured for the NextDNS DNS servers. To prevent the IPVanish client from connecting,  the Mac must be rebooted (see my post below). But, nothing can stop the ProtonVPN client from connecting and defeating content filtering configured in NextDNS. 

    • sirozha
    • 8 mths ago
    • Reported - view

    I wonder if the range of DNS IPs from which I got two DNS servers assigned is having a problem. I've just created another profile under my account and had two new DNS servers assigned to this other profile. The first three IP octets of the DNS servers in both profiles are the same, though: 45.90.28.XXX

    The only thing I did in the new profile was enable Block Bypass Methods. I didn't touch any other setting in this new profile. Then, I changed the DNS server IP on my Mac to one of the newly assigned DNS IPs from the new profile. 

    My VPN clients (IPVanish and ProtoVPN) both connect without any issue. So, if the Block Bypass Methods is working for others to block VPNs, then there must be an issue with the servers in the 45.90.28.XXX range.

    I see a confirmation on the Setup tab in the new profile that I'm using DNS from the new profile, so I know that the DNS server to which DNS requests are sent is one of the DNS servers assigned to me in the new profile.  

    How do I get NextDNS folks to look at this issue? 

    • sirozha
    • 8 mths ago
    • Reported - view

    This is what I've discovered after some more tinkering. 

    1. The Block Bypass Methods actually does block IPVanish VPN. The trick is to reboot the computer after enabling the NextDNS DNS IP issued under a profile in the NextDNS web portal that  you want a particular host on the network to use for DNS resolution and filtering. At least with the Mac, if you don't reboot the Mac after assigning the NextDNS DNS server IPs (be it manually or via DHCP on a local network), IPVanish will continue to connect. Flushing DNS using the command sudo -S killall -HUP mDNSResponder; sudo dscacheutil -flushcache does't prevent the IPVanish client from connecting. However, once you reboot the Mac, the IPVanish client can no longer connect. So, this works. 

    2. However:  The ProtonVPN client has absolutely no problem connecting when the NextDNS DNS servers are configured on the Mac - even after I reboot the Mac. So, ProtonVPN defeats the NextDNS Block Bypass Methods setting 100% of the time. It's even more dramatic an effect because ProtonVPN provides free service (as in absolutely free) in the US, and the speed of this service is similar (or better) than IPVanish (which costs about $10/month or a little cheaper if you buy an annual subscription). Basically, the entire concept of DNS-based content filtering goes down the toilet because any kid can download ProtonVPN without having to provide any payment type and bypass any DNS-based filtering. 

    3. I also tried to get a paid account on ControlD today and my results are similar in that ControlD can block IPVanish from connecting (same thing as with NextDNS - the Mac must be rebooted after the DNS servers are changed to those provided by a profile in ControlD). However, ProtonVPN defeats content filtering configured in ControlD the same way ProtonVPN defeats content filtering configured in NextDNS. 

    4. Both NextDNS and ControlD block DNS resolution to both the IPVanish web site (ipvanish.com) and to the ProtonVPN web site (protonvpn.com) - they do it in a different way, but the end result is that the user can't get to the respective web sites to download the VPN clients. However, if the ProtonVPN client is already installed on the computer, then it defeats content filtering configured in Control because the Block Bypass Methods setting doesn't prevent the ProtonVPN client from connecting.

      • Will_Tisdale
      • 7 mths ago
      • Reported - view

       

      1. Sounds like a macOS issue and/or the IPVanish client is caching the DNS lookup.
      2. It sounds like ProtonVPN is using hard coded IP addresses instead of a DNS lookup. That is impossible to block using DNS and isn't a shortcoming of "Block Bypass Methods". To actually block that, you would need to identify the IP addresses and firewall them at the gateway.
      3. Kinda confirms that they are using IP addresses rather than a domain for the connection.
      4. That's a limitation of DNS level blocking.
      • sirozha
      • 7 mths ago
      • Reported - view

       

      I do agree that ProtonVPN most likely uses IP addresses. I've progressed further and found a Python script that uses an API provided by ProtonVPN to download their server IPs. there are almost 4,000 entries on the list - once the script exported the current ProtonVPN server IPs and built a CSV file.

      I'm trying to block these IPs in the firewall, but so far I can't stop ProtonVPN from connecting. I suspect they probably also dynamically change the IPs and the ProtonVPN application probably polls for new server IPs constantly.

      I'm glad ProtonVPN exists, as it's an important tool to defend freedom of expression in places like China and Russia. I'm also glad they provide free service. My problem with them is that there is no need for a free account without age verification for users in the free world to defend freedom of expression. By providing the ability to open a free account without any age verification and providing free unlimited and very fast service in countries like the US, they may be trying to be free-speech absolutists, but the reality is that they let kids access age-inappropriate content with minimal effort, and there is nothing that anyone seems to be able to do about it.    

Login to reply

Content aside

  • 1 Likes
  • 7 mths agoLast active
  • 11Replies
  • 323Views
  • 3 Following