Block Bypass Methods not blocking other DoH servers.
I found this in some other post, it's a list of public DoH servers https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers
I have NextDNS enabled via the nextdns-cli on my Unifi Dream Machine and have verified that it indeed blocks sites in accordance with my profile on NextDNS. It also blocks bypass methods because I can't visit any website for a vpn provider.
So I tried to add some of the servers on the list above as DoH in Chrome and they weren't blocked. You can verify this by setting https://au01.dns4me.net as DoH and trying to visit a blocked site.
My concern is mostly around protecting my children's laptops. School is making them bring a laptop these days. They have MacBooks with the NextDNS profile installed and I've blocked installing apps not from the AppStore so effectively not letting them install Chrome. However the school system where I live use Google products so it's only a matter of time before one of their products doesn't quite work on Safari and they'll need Chrome. I cannot for the life of me figure out how to lock Chrome down. The parental features on that browser are based on profiles but children can just log out of the profiles so not effective. Also can't lock down the settings of that browser with a password. It's really frustrating.
Is this not being blocked by Chrome a bug on behalf of NextDNS or is it just not supported?
16 replies
-
It's a lost cause. That list is just a small percentage of publicly available DoH servers out there. And even without setting up their own (which is really, really easy with Cloudflare Workers) or using other servers, you know what anyone can do to bypass NextDNS filtering? Just use the non-filtering generic address (ie, without any profile identifier). Boom, that's it, done. NextDNS can't really block it since it needs it to function, and yet if set on browser setting it will override the OS , router, NextDNS app setting, etc.
-
I'm not too familiar with Dream Machine these days but in RouterOS (Mikrotik) I have been working to address similar scenarios by creating "IP Lists" of DoH servers that I don't want used, followed by a Firewall rule to Reject all traffic destined for any IP on the list. I also have another rule that DSTNATs all regular DNS back to the router if not already destined there as I want everything funneled through router first, then on to NextDNS via DoH.
This seems to be effective enough of a catch-all for all devices & software on the network so all DNS goes through NDNS as expected - I have Android and Roku devices all hit these rules daily but never had anything failing to work correctly. If I force a static regular DNS server (eg GDNS) on a client's config, it continues to function as normal through NDNS, and if a DoH server that's on the IP List is used, DNS just fails until the issue is corrected lol (most devices seem to just fail back to regular DNS which then hits the NAT rule).
So far I only block the more common DoH servers and that seems to do the trick as it would be tedious and probably pointless to try and maintain all of them router's config - guess it depends on how motivated your kids are to circumvent!
A final thought on your Chrome challenge: https://support.google.com/chrome/a/answer/9037717
-
Yeah that's a hefty challenge, short of employing an always-on VPN controlling the network layer is pretty difficult these days. I ended up finding a thread on Reddit where the author of that GitHub DoH list talked about this topic extensively, and it seems the general consensus was about the same there too; talks of Layer 7 firewalls and stripping SSL lol
-
This subject got me curious about DNSoTLS and so I dropped a logging rule in and already found something using it and bypassing my other rules
-
This may be the Reddit link to the GitHub DOH-block list:
https://www.reddit.com/r/pihole/comments/1baz70t/dns_over_https_doh_blocklist/
Here's one to more GitHub blocklists. YMMV.
https://www.reddit.com/r/pihole/comments/1bee4a7/add_local_dns_records_for_doh/
Apologies if these are obvious/stupid questions, but:
1. Could one just implement that blocking on NextDNS (instead fo the router)? After all, they are web address domains.
2. Is there an easy way to upload a blocklist to NextDNS? It looks like I would have to add them one at a time to the NextDNS 'denylist' (or write a script to add them for me...)
-
You may need to do a MITM SSL decrypt to block certain sites. Would require you install certificates on all clients, but if you have control of them, then that shouldn't be too much of a problem.
Content aside
- 3 mths agoLast active
- 16Replies
- 1064Views
-
4
Following