0

Block Bypass Methods not blocking other DoH servers.

I found this in some other post, it's a list of public DoH servers https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers

I have NextDNS enabled via the nextdns-cli on my Unifi Dream Machine and have verified that it indeed blocks sites in accordance with my profile on NextDNS. It also blocks bypass methods because I can't visit any website for a vpn provider.

So I tried to add some of the servers on the list above as DoH in Chrome and they weren't blocked. You can verify this by setting https://au01.dns4me.net as DoH and trying to visit a blocked site. 

My concern is mostly around protecting my children's laptops. School is making them bring a laptop these days. They have MacBooks with the NextDNS profile installed  and I've blocked installing apps not from the AppStore so effectively not letting them install Chrome. However the school system where I live use Google products so it's only a matter of time before one of their products doesn't quite work on Safari and they'll need Chrome. I cannot for the life of me figure out how to lock Chrome down. The parental features on that browser are based on profiles but children can just log out of the profiles so not effective.  Also can't lock down the settings of that browser with a password. It's really frustrating. 

Is this not being blocked by Chrome a bug on behalf of NextDNS or is it just not supported?

16 replies

null
    • Martheen
    • 1 yr ago
    • Reported - view

    It's a lost cause. That list is just a small percentage of publicly available DoH servers out there. And even without setting up their own (which is really, really easy with Cloudflare Workers) or using other servers, you know what anyone can do to bypass NextDNS filtering? Just use the non-filtering generic address (ie, without any profile identifier). Boom, that's it, done. NextDNS can't really block it since it needs it to function, and yet if set on browser setting it will override the OS , router, NextDNS app setting, etc.

      • Five_Tires
      • 1 yr ago
      • Reported - view

       thanks for that, I was afraid it was going to be impossible seeing how DoH servers are spring up left right and center. I have the packet filter firewall of MacOS configured to block the most common ones (google dns, Cloudflare, OpenDNS, etc) as well as the default ones from our ISP.

      Another solution would be if someone made a parent friendly chromium browser that had the option to put settings and flags behind a password as well as the installation of extensions.  Can't seem to find that either. Until I find a solution Safari will have to do. 

      • Martheen
      • 1 yr ago
      • Reported - view

       By generic address, I mean NextDNS own address. If you're using NextDNS then your setup needs to be able to resolve the NextDNS domain (or maybe hardcode the IP), thus, it's impossible to block an app if that app can pick its own DoH address and use NextDNS generic address.

      Shouldn't the school have its own MDM to enforce browsing restrictions? Seems like begging for trouble if they require students to bring computing device into their network but doesn't have a management system in place.

      • Five_Tires
      • 1 yr ago
      • Reported - view

       The school has no MDM. Also as kids get older I'm learning to rely less and less on the networks as they move between home, school, grandparents house, other family's house, friends house and their mobile network. For parental controls to truly work they need to be enforced on the device. 

      • Martheen
      • 1 yr ago
      • Reported - view

       Ah, porn (or drugs, radicalism etc) will always find a way. They inherit your technical proficiency, so if they *want* it, they'll get it, regardless of how you lock down the devices. Mac still allows booting right into a USB install (yes, even the M1/M2) which will ignore the internal drive, whereby they can run a shadowsock client that obfuscate itself as innocuous HTTPS traffic connecting to a generic CDN provider. iOS devices are better covered by nature, but I'm sure there are thousands Tiktok videos that will guide horny teens to work around the filter.

      If you already set the DNS to porn filtering, you've done enough. It will stop accidental visits from clicking random link, and that's all you can do.

      • Five_Tires
      • 1 yr ago
      • Reported - view

       haha thanks, it is a battle I can't win. Hopefully I can  keep winning  long enough until they are a bit older and able to make more sense of all that crap.  My biggest regret was giving them MacBooks rather than replace their aging iPads with better ones. Once they have a MacBook it's hard to make them want to go back to iPads for anything other than watching some entertainment. 

      • Martheen
      • 1 yr ago
      • Reported - view

       In the Platonic series from this year, there is a scene when the kids in the family turn out hiding an iPad, the parents don't seem to be very techie, but even if they do, I'm sure it's possible to just buy a prepaid SIM to get around any Wifi filtering/detection. In real life, some Android prepaid phones are pretty cheap too, affordable even with a modest allowance, and probably can be hidden much better.

      One of the plots in The Power series is how the boy in the family is being radicalized right under his parent's noses from content in regular social media & mainstream news, which is readily available unless one blocks the entire internet and only whitelists very specific sites.

      I'm a parent too, and just trying to keep YouTube from turning perfectly innocuous streams of Kurzgesagt videos into recommendations of trash videos is just hopeless, regardless of the use of YouTube kids or repeatedly telling it to not recommend the trashy channel. I guess the only hope is to keep finding them something more interesting to do.

    • brodie7838
    • 1 yr ago
    • Reported - view

    I'm not too familiar with Dream Machine these days but in RouterOS (Mikrotik) I have been working to address similar scenarios by creating "IP Lists" of DoH servers that I don't want used, followed by a Firewall rule to Reject all traffic destined for any IP on the list. I also have another rule that DSTNATs all regular DNS back to the router if not already destined there as I want everything funneled through router first, then on to NextDNS via DoH.

    This seems to be effective enough of a catch-all for all devices & software on the network so all DNS goes through NDNS as expected - I have Android and Roku devices all hit these rules daily but never had anything failing to work correctly. If I force a static regular DNS server (eg GDNS) on a client's config, it continues to function as normal through NDNS, and if a DoH server that's on the IP List is used, DNS just fails until the issue is corrected lol (most devices seem to just fail back to regular DNS which then hits the NAT rule).

    So far I only block the more common DoH servers and that seems to do the trick as it would be tedious and probably pointless to try and maintain all of them router's config - guess it depends on how motivated your kids are to circumvent!

    A final thought on your Chrome challenge: https://support.google.com/chrome/a/answer/9037717

      • Five_Tires
      • 1 yr ago
      • Reported - view

       Hey thanks for your comment: I have done something similar for now but with mixed success. I don't want to rely on the network for parental control as kids move between so many different networks these days. Instead on the MacBook I made a list of common and known DoH servers and configured a rule in the pf firewall on MacOS to block traffic to them. 

      However as @Martheen pointed out t's a bit of a lost cause because it's a came of whack-a-mole I can't possible win. For now enforcing only AppStore installs blocks Firefox and any Chromium browsers. Safari plays very nicely with the installed NextDNS profile. 

    • brodie7838
    • 1 yr ago
    • Reported - view

    Yeah that's a hefty challenge, short of employing an always-on VPN controlling the network layer is pretty difficult these days. I ended up finding  a thread on Reddit where the author of that GitHub DoH list talked about this topic extensively, and it seems the general consensus was about the same there too; talks of Layer 7 firewalls and stripping SSL lol

      • Five_Tires
      • 1 yr ago
      • Reported - view

       Do you happen to still have a link to that reddit thread? I'd be keen to read that discussion as well.  I feel like letting the kids move from iPads to MacBooks was not a great decision. The iPad seems much easier to control. 

    • brodie7838
    • 1 yr ago
    • Reported - view

    This subject got me curious about DNSoTLS and so I dropped a logging rule in and already found something using it and bypassing my other rules 👀

    • NAS
    • 3 mths ago
    • Reported - view

    This may be the Reddit link to the GitHub DOH-block list:

    https://www.reddit.com/r/pihole/comments/1baz70t/dns_over_https_doh_blocklist/

     

    Here's one to more GitHub blocklists. YMMV.

    https://www.reddit.com/r/pihole/comments/1bee4a7/add_local_dns_records_for_doh/

     

    Apologies if these are obvious/stupid questions, but:

    1. Could one just implement that blocking on NextDNS (instead fo the router)? After all, they are web address domains.

    2. Is there an easy way to upload a blocklist to NextDNS? It looks like I would have to add them one at a time to the NextDNS 'denylist' (or write a script to add them for me...)

      • Martheen
      • 3 mths ago
      • Reported - view

      They could, but like I said, what's the point? Anyone can just use the non-filtering NextDNS address which can't be blocked.

      • NAS
      • 3 mths ago
      • Reported - view

      First,

      If you want to add the DOH blocklist then either paste them all in (not too long) or maybe use this bulk upload script:

      https://www.reddit.com/r/nextdns/comments/1c1nm2f/i_have_found_a_way_to_upload_domains_in_bulk_for/

      Second,

      Thanks; I had seen your earlier post. I am not trying to block any _person_ inside my house -- a much harder problem -- just apps/programs/operating systems/malware doing things I didn't authorize. I don't think any of them are likely to be using the NextDNS non-filtering address.

      That said, the DOH blocklists do seem like a doomed game of whack-a-mole.

      --> Do you have any other suggestions?

      Beyond the DOH blocklists I am unsure what to do. Would disabling DNS over HTTPS (DOH) in my router solve it? [I suspect not, since the IPv4 system could then be used to get the addres to a DOH server and then the program can use that... but maybe I'm wrong?]

      PS: DOT I (think I) have blocked via blocking use of port 853. Unsure whether bad actors can just use some other port though.

    • Eric.9
    • 3 mths ago
    • Reported - view

    You may need to do a MITM SSL decrypt to block certain sites.  Would require you install certificates on all clients, but if you have control of them, then that shouldn't be too much of a problem.

Content aside

  • 3 mths agoLast active
  • 16Replies
  • 1064Views
  • 4 Following