0

Nextdns can be bypassed by... Nextdns!

Nextdns blocks every method to bypass the filter, except itself.

If you put a random Nextdns ID on your browser it  will override the Nextdns ID of your system and even the ID of the Nextdns app.

On firedox you don't even need to put in another ID, if you choose NextDNS on the safe dns page it will also override the system ID.

I think it should be a way to avoid this and for Nextdns to follow  the system/app ID, ignoring the one on the browser if it's diferrent.

6 replies

null
    • Martheen
    • 9 mths ago
    • Reported - view

    It's not a bug, it's a feature of DoH. Firefox specifically doesn't send user agent with DoH requests, so NextDNS can't tell if a request comes from Firefox or other apps (actually, most privacy-respecting app deliberately don't send any data except the URL and the DNS payload itself).

    Thus, there's no way for NextDNS to tell which is the "authoritative" ID of a particular system. Imagine what happen if your ISP use CGNAT and other users of NextDNS shares your IP, would you like your config to randomly change just because of that? Or if someone in the house sends a Do53 request through IPv6, should the linked config become authoritative for the entire household just because the router and OS use DoH?

    Now, the NextDNS *app* can be configured to override/lock browser's DoH settings, but while it's expected for a corporate/parental lock app, currently that's not the NextDNS app proposition, and moving towards that might sour the relationship between NextDNS & Firefox, also against users who might simply want the usability of the app without the baggage.

      • Bryan_Swift
      • 9 mths ago
      • Reported - view

      Martheen ''Imagine what happen if your ISP use CGNAT and other users of NextDNS shares your IP, would you like your config to randomly change just because of that?''

      => What do you mean? Whar Is CGNAT?  I Just don't want someone to change the ID in the browser and then override my settings.

      What is the point of parental control if a kid/teen can easily override the apps/sites you block by simpling putting a random ID that you can obtain by simply acessing the Nextdns site? .-.

      In Brave you can just paste the random ID and open the tor window that it will connect right away.

      ''Now, the NextDNS *app* can be configured to override/lock browser's DoH settings''

      =>> HOW?

      • Martheen
      • 9 mths ago
      • Reported - view

      Bryan Swift CGNAT is the ISP's way to handle the exhaustion of IPv4 addresses by sharing the same public IP across multiple customers. Effectively, it means NextDNS can't see if there's any "hierarchy", where a setting might be ignored or not.

      You misunderstood the point of DoH, there's no signal that says "hey, I'm the reigning setting for this network, you must ignore other configs". Actually, there's no such thing in Do53 either, it just gets replaced entirely. As far as the router and ISP care, DoH is just yet another HTTPS request, sure they can see from the SNI it's a DoH request if they bother to check, but they don't know what exact config is used, and that's inversely is also the case for NextDNS, it doesn't see whether a DoH request comes from a particular network where it must be ignored or such.

      Tor can't be blocked by DNS, that's the point of Tor, evading censorship.

      By the app I mean the dev *can* add that functionality if they bothered to, but I bet most of NextDNS users don't want such functionality, otherwise they'd just move to a proper parental control app. NextDNS is not a parental control app.

      • Bryan_Swift
      • 9 mths ago
      • Reported - view

      Martheen

      ""You misunderstood the point of DoH, there's no signal that says "hey, I'm the reigning setting for this network, you must ignore other configs". ""

      =>Then how can they block evading methods like putting another DoH service? Because the pages don't load if you do that with that setting on.

      "Tor can't be blocked by DNS, that's the point of Tor, evading censorship."

      =>Of course it can, it's blocked by the same option I mentioned above,  and it works, I test it. I guess NextDNs recognizes the tor nodes (which are public) and then block the connection to them.

      =>Also, there's no such thing as censorship in a private property. Each one decides the rules in their own properties. Censorship is when someone OUTSIDE of your private property wants to IMPOSE rules over it, like the government always does.

      "NextDNS is not a parental control app."

      If it isn't, then why bother to put parental control in the settings? '-'

      I guess that, if there's such thing as parental control in it, then a lot of NextDNS users care about it.... Thus they should know that there's an easy way to bypass their custom rules.

      • Martheen
      • 9 mths ago
      • Reported - view

      Bryan Swift 

      >how can they block evading methods like putting another DoH service

      Only because DoH require bootstrapping. On Firefox the IP can be manually specified through about:config in network.trr.bootstrapAddress  and NextDNS can't block those at all. In the case of NextDNS, obviously, the same IP is used to resolve so NextDNS doesn't work to block other NextDNS config.

      >it's blocked by the same option I mentioned above

      No, it doesn't. Tor Browser, not the mediocre implementation in Brave, carries the node IP list and doesn't require DNS resolution at all.

      >censorship in a private property

      The point is Tor Browser doesn't care (or even know) if the censorship is from a private entity or the government.

      >a lot of NextDNS users care about it

      Do they? I don't see many posts about it. Only very few express chagrin about how easy it is to just disable or change DoH setting. The setting is only useful against accidental clicks (ie, someone not interested in evading the block). A proper parental control app takeover the OS and force the settings, monitor attempts to evade, regularly report back to HQ, and definitely not what the average NextDNS user want due to the privacy implications and the complexity to restore setting if they misconfigure it or forgot the password.

    • Bryan_Swift
    • 9 mths ago
    • Reported - view

    ""You misunderstood the point of DoH, there's no signal that says "hey, I'm the reigning setting for this network, you must ignore other configs". ""

    =>Then how can they block evading methods like putting another DoH service? Because the pages don't load if you do that with that setting on.

    "Tor can't be blocked by DNS, that's the point of Tor, evading censorship."

    Of course it can, it's blocked by the same option I mentioned above,  and it works, I test it.

    "NextDNS is not a parental control app."

    If it isn't, then why bother to put parental control in the settings? '-'

Login to reply

Content aside

  • 9 mths agoLast active
  • 6Replies
  • 651Views
  • 2 Following