Block Bypass Methods not blocking other DoH servers.

Five Tires By generic address, I mean NextDNS own address. If you're using NextDNS then your setup needs to be able to resolve the NextDNS domain (or maybe hardcode the IP), thus, it's impossible to block an app if that app can pick its own DoH address and use NextDNS generic address.

Shouldn't the school have its own MDM to enforce browsing restrictions? Seems like begging for trouble if they require students to bring computing device into their network but doesn't have a management system in place.

Five Tires Ah, porn (or drugs, radicalism etc) will always find a way. They inherit your technical proficiency, so if they *want* it, they'll get it, regardless of how you lock down the devices. Mac still allows booting right into a USB install (yes, even the M1/M2) which will ignore the internal drive, whereby they can run a shadowsock client that obfuscate itself as innocuous HTTPS traffic connecting to a generic CDN provider. iOS devices are better covered by nature, but I'm sure there are thousands Tiktok videos that will guide horny teens to work around the filter.

If you already set the DNS to porn filtering, you've done enough. It will stop accidental visits from clicking random link, and that's all you can do.

Five Tires In the Platonic series from this year, there is a scene when the kids in the family turn out hiding an iPad, the parents don't seem to be very techie, but even if they do, I'm sure it's possible to just buy a prepaid SIM to get around any Wifi filtering/detection. In real life, some Android prepaid phones are pretty cheap too, affordable even with a modest allowance, and probably can be hidden much better.

One of the plots in The Power series is how the boy in the family is being radicalized right under his parent's noses from content in regular social media & mainstream news, which is readily available unless one blocks the entire internet and only whitelists very specific sites.

I'm a parent too, and just trying to keep YouTube from turning perfectly innocuous streams of Kurzgesagt videos into recommendations of trash videos is just hopeless, regardless of the use of YouTube kids or repeatedly telling it to not recommend the trashy channel. I guess the only hope is to keep finding them something more interesting to do.

NAS They could, but like I said, what's the point? Anyone can just use the non-filtering NextDNS address which can't be blocked.

First,

If you want to add the DOH blocklist then either paste them all in (not too long) or maybe use this bulk upload script:

https://www.reddit.com/r/nextdns/comments/1c1nm2f/i_have_found_a_way_to_upload_domains_in_bulk_for/

Second,

MartheenThanks; I had seen your earlier post. I am not trying to block any _person_ inside my house -- a much harder problem -- just apps/programs/operating systems/malware doing things I didn't authorize. I don't think any of them are likely to be using the NextDNS non-filtering address.

That said, the DOH blocklists do seem like a doomed game of whack-a-mole.

--> Do you have any other suggestions?

Beyond the DOH blocklists I am unsure what to do. Would disabling DNS over HTTPS (DOH) in my router solve it? [I suspect not, since the IPv4 system could then be used to get the addres to a DOH server and then the program can use that... but maybe I'm wrong?]

PS: DOT I (think I) have blocked via blocking use of port 853. Unsure whether bad actors can just use some other port though.