1

Does NextDNS Web filter stop user from accessing adult sites when Windows TCP/IP setting of DNS server change to 8.8.8.8?

Hi,

I am just wondering how can NextDNS Web filter stop user from accessing adult sites, when DNS setting was tampered and changed to a public free DNS server IP, instead of NextDNS?

Thank you.

7 replies

null
    • hagezi
    • 9 mths ago
    • Reported - view

    No. The activated function Bypass under Parental Control only prevents DoH, VPN, proxies and Tor. However, it does not prevent anyone from using a native DNS or DoT/QUIC server. You must prevent this yourself in your local network.
    To ensure the bootstrap is your DNS server you must redirect or block standard DNS outbound (TCP/UDP 53) and block all DNS over TLS (TCP 853) outbound.

      • Wepee
      • 9 mths ago
      • Reported - view

      Ha Ge Zi 

      Ha Ge Zi said:
      To ensure the bootstrap is your DNS server you must redirect or block standard DNS outbound (TCP/UDP 53) and block all DNS over TLS (TCP 853) outbound.

      Thanks for replying. 

      So in order to force every device in my local LAN, I would need to do either:

      Redirect port 53 & 853 to 443??

      or 

      Just block port 53 & 853 entirely.

      which I can do it at my Firewall. 

      But, let's say a device in my LAN is using DOH on another DNS server, say Google. 

      In order, to block the encrypted traffic, I would need to install the  NextDNS root CA on the device? Right?

      Thanks in advance.

      • Martheen
      • 9 mths ago
      • Reported - view

      Wepee Blocking DoH is much harder than that. The NextDNS CA is only used so the blocked message from NextDNS is still loaded for HTTPS, it doesn't try to analyze your HTTPS traffic (which doesn't go to NextDNS server). There are lists that you can use to block known IPs of DoH providers, but dedicated enough users can just find an obscure DoH provider or create one themselves on Cloudflare Workers etc.

      • hagezi
      • 9 mths ago
      • Reported - view

      Wepee

      - Block port 53/853 in the router or in your firewall for the clients concerned.
      - Activate Bypass in NextDNS under Parental Control (blocks DoH, VPN, Proxies, ...).
      - Done

      But depending on how clever they are, they find a way around it.

      • Wepee
      • 9 mths ago
      • Reported - view

      Ha Ge Zi Alright cool thanks!🙂

      • edward_a
      • 9 mths ago
      • Reported - view

      Martheen hi there, what lists are these please?

      • Martheen
      • 9 mths ago
      • Reported - view

      Edward https://github.com/dibdot/DoH-IP-blocklists but they're not usable in NextDNS (since they're not domain-based), they will break sites that happen to use the same CDN as a DoH server, and they still won't stop DoH servers created in few clicks like https://github.com/tina-hello/doh-cf-workers

Content aside

  • 1 Likes
  • 9 mths agoLast active
  • 7Replies
  • 246Views
  • 5 Following