0

Home router does not allow me to change the DNS

Hello,

I am a school IT Administrator.  Our students bring their personal devices to school every day, where we filter them as expected for safeguarding purposes.

I would like to advice some of our school's parents to purchase Nextdns, as other software we have tried such as Qustodio, conflicts with our school HTTPS Decryption and causes conflicts and compatibility.

I also cannot advice parents to set up student's device "DNS over HTTPS" nor "NextDNS for Windows" as this will also cause conflict with the school network when the device comes in. Let alone that students are administrators on their devices, and therefore soon enough they will learn how to bypass the DNS if tech savvy.

This leaves me to advice parent to set up the DNS on their home router, right?

Two questions:

1. If the Home router does not allow me to change the DNS, then there is nothing I can do right? Short of replacing the router of course.  The PlusNet Hub One in the UK for example does not offer options to change the DNS. 

2. Assuming the parent home router does allow them to add the 2 DNS servers of NextDNS, on the router this will be applicable to all home devices, right? Is there any way therefore to create a profile on https://my.nextdns.io/, specific to a home devices, but leave the rest be?

Thanks

Daniel

4 replies

null
    • david_demfers
    • 2 mths ago
    • Reported - view

    What on earth do personal home routers have to do with online safeguarding at a school? You say yourself that installing NextDNS on each device is impractical, but somehow NextDNS running on a home router gets around this?

    And I don't even see what the actual problem is anyway. You say that the school network is already being filtered, I believe when you say HTTPS, you mean SSL decryption? Well isn't this enough to begin with? Do you do domain blocking too? I would assume you have filtering groups depending on who the end user is (Staff, Students etc), well surely any non-server managed device e.g personal, is being filtered too regardless.

    My previous job was funnily enough what you do, and I have never heard of home routers needing to be played with to suit a school network, apart from the fact that's not how the internet works anyway!

    • Daniel_Papadopoulos
    • 2 mths ago
    • Reported - view

    When I state above "I would like to advice some of our school's parents to purchase Nextdns, as other software we have tried such as Qustodio, conflicts with our school HTTPS Decryption (via SSL Certificate) and causes conflicts and compatibility.", this is because the same device goes home after school, and it is used in the evening or weekends at student's home when young students go online. And there is no Filtering at home, thus what I am trying to find a solution to to advice parents who request how they can safeguard their Children online when device is at home.

      • ippyup
      • 2 mths ago
      • Reported - view

       Unfortunately many home routers in the UK do not allow changing of DNS - in fact I don't know of any providers who do with their default kit. Naturally they also do not support DoH. It's not a practice I like but without any regulation it is what it is. The providers I guess do have some argument that having free reign on DNS could cause major support headaches and potential compromises (eg dodgy/old firmware, malware adjusts DNS to point to rogue servers) but also they can monetize on NXDOMAIN responses with adverts.

      At the network level, since device level is a problem for you, basically the options are generally:

      1) Install another device to do DHCP, and disable your ISP router DHCP function (typically this is doable), Then on the new device, point DHCP wherever you like, or use something like AdGuard for easy DoH configuration

      2) Replace the router entirely, but then 1) not all providers support this and 2) your average Joe does not know what they are doing, and if not configured correctly, could leave their home networks wide open. And 3) not all home connections use the same type of router. It would be a nightmare to support.

      Neither of these options are particularly good.

      And then regardless of what option you choose, people need to understand what NextDNS is doing, it can very easily break things if misconfigured. If the advice is to use upstream DNS servers and not DoH, then a hands off service like Cloudflare for Families or Quad9 is probably a better compromise. 

      As an aside, how are you doing HTTPS decryption on personal devices? I presume you have installed a Root CA? Do the parents understand the implications of this?

      But also one last note, you say students have local admin and savvy ones could bypass DNS...that would apply even when on a router level. They just need to set a new server on the device. That would then also break your school stuff presumably.

      You're between a rock and a hard place I think

    • okcprime
    • 1 mth ago
    • Reported - view

    Practicle solutions is TAILSCALE + NextDNS . you can control every Network devices using tailscale and Configure each and every device according to its need . Just use NextDNS as Global Nameserver in Tailscale and read few documentation of Tailscale . You need not to configure your router . Just read Tailscale documentations

Login to reply

Content aside

  • 1 mth agoLast active
  • 4Replies
  • 136Views
  • 4 Following