1

NextDNS for parental controls but without encrypted DNS

I have my kid's devices set to his own NextDNS profile with parental controls and a Deny list. At his age and limited tech savvy, this has worked great to keep his online activities protected.

I use an Apple Profile on his iPad (7th gen) for NextDNS. Recently, it appears, his school has stopped allowing encrypted DNS traffic. He gets a Privacy Warning with a message that This network is blocking encrypted DNS traffic. Apps and browsers that require internet access do not work. Once he removes the profile, everything works fine. The same occurs if I use the NextDNS app instead of an Apple Profile.

Assuming encrypted DNS is indeed the issue and not allowed on his school network, is there a way to use his NextDNS profile without encrypted DNS? Basically, I would still like to use NextDNS for parental controls and Deny list, if possible.

And, yes, I understand that I could install proper parental software instead but the simplicity of NextDNS has been great so far :)

8replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Try connect to nextdns using DoH.  It might be a success unless the school is blocking nextdns address and IP then you're doomed. LoL

    Like 1
      • Gaurav
      • iamtheanon
      • 5 mths ago
      • Reported - view

      aioyups That shouldn't work since the Apple Profile is DoH only. As such, they must be using other methods to block encrypted DNS traffic on Port 443. 

       

      Sam S.  However, you could try running the DNSCrypt protocol instead. It is available on iPad and is quite easy to setup. It may work. App Name is DNSCloak (It is open source). You will find the instructions in there only or watch some vids/articles on how to setup DNSCrypt on the DNSCloak app.

      The other option is using linked IP and setting up DNS Servers using ipv4 and ipv6 addresses available on the my.nextdns.io page and inputting them in the WiFi settings on your iPad. Mind you though, this will be 100% unencrypted.

      Instructions here: https://appleinsider.com/articles/18/04/22/how-to-change-the-dns-server-used-by-your-iphone-and-ipad

      Like
      • aioyups
      • aioyups
      • 5 mths ago
      • 1
      • Reported - view

      Gaurav according to apple it support both DoH and DoT https://developer.apple.com/documentation/networkextension/dns_settings

      So it's better to check first what protocol he use. If it's not DoH then he can try it first.

      And nextdns not support dnscrypt protocol so not possible. As for linked IP method it needs additional app to set ddns or to hit the linked link, else it will be no filtering at all.

      Like 1
      • losnad
      • losnad
      • 5 mths ago
      • Reported - view

      "And nextdns not support dnscrypt protocol so not possible. As for linked IP method it needs additional app to set ddns..."

      Are you sure?

      My Ddns doesn't need any software, I just have to choose a domain and activate it in my online account of my ISP. There was another online services which offered this.

      And the first part about dnscrypt...

      https://help.nextdns.io/t/60hf3wn/dnscrypt-on-freshtomato?r=35hf82c#35hf82c

      Like
      • aioyups
      • aioyups
      • 5 mths ago
      • 1
      • Reported - view

      losnad yea I'm pretty sure. You might use dnscrypt apps but the protocol used is still DoH or DoT(if you manually set it to be). Dnscrypt apps support 3 protocol which are DoH, DoT, and DNScrypt. So just because you use dnscrypt apps and syntax doesn't mean you use dnscrypt protocol. If you don't believe it just translate that sdns and you'll find that it actually using DoH not dnscrypt. Apple support both DoH and DoT, so it simply unnecesarry to install dnscrypt just to end up using DoH. 

      As for ddns it definitly need a software to update the ip or else who update the ip when it changes definitly not a ghost right. The software could be installed in the router, in the device, or in the ISP side as an add-on service, the point is it's definitly there. But please stay on topic the subject now is an ipad connecting to school network so it's impossible to control it's ISP online account. Which is why I said need additional software for linked IP method or else no filtering (naturally you can click the link manually if you don't want to use a software. LoL)

      Like 1
      • losnad
      • losnad
      • 4 mths ago
      • Reported - view

      I searched, read, check and you are right. If it uses the the dnscrypt protocol the sdns://... should translate to dnscrypt://...

      As for the rest, I choose to ignore you.

      Like
  • The requests from the iPad show up as DNS-over-HTTPS in NextDNS logs. I suspect if they're going through the trouble of blocking DoH, they're most likely blocking DoT too, since that's a lot easier to block.

    I think a Linked IP with some DDNS software on the iPad is probably the only possible solution left.

    I'm already using Linked IP with my home router (Google WiFi, so doesn't support NextDNS  inherently), so will have to get a new NextDNS account for my kid.

    As I mentioned, my primary purpose here is parental controls. Encrypted DNS for my scenario is not necessary. I don't mind if the school also snoops on his DNS traffic 🙂

    Thank you for the suggestions.

    Like
      • aioyups
      • aioyups
      • 4 mths ago
      • 1
      • Reported - view

      Sam S. well not to mean discouraging you, but if they are strict enough to do DPI for https then most likely linked method through standard dns port should be redirected to school dns too. At least that what I'll do first before bothering with tls and https because it's the easiest and cheapest trick.

      However you can still try it though, who knows maybe the admin got his head hammered somewhere and miss this step. 😂

      Like 1
Like1 Follow
  • 1 Likes
  • 4 mths agoLast active
  • 8Replies
  • 222Views
  • 6 Following