Nextdns CLI bypassed by DNS53 queries + Android DoT problem

Eb Na how could it be possible to have a cleaner solution?  There’s no magic wand to block DOH.   That’s one of the reasons for DOH.

Calvin Hobbes Ideally, you’d want a DNAT rule that remaps any DNS queries on port 53 not directed to your router to go to your router. This is what I did, but I am running a fairly robust networking solution that allows that. To block DoT, turn on DNS redirector. DoH is nearly impossible to block without querying major known public DNS providers, recording the IPs, then blocking their IPs (I also do this—I’m currently blocking about 5000 public DoH provider IPs).

Eb Na the nslookup example you gave is intentionally bypassing your router.  I figured you were trying to prevent users from getting around NextDNS to reach hosts that you want to block and/or log.   If you want devices on your network to use NextDNS, then configure your clients to use your router’s DNS service by using  DHCP or manual configuration.  I’m confused on what you want to accomplish.   

Eb Na Meant to comment here instead of responding to the entire post. But yeah, that would be fairly tricky for NextDNS to implement using their command line tool because of all the different hardware it needs to work on and it wouldn’t be able to respect control guis like I have that tell me what firewall rules are implemented. Plus, they definitely have more pressing concerns (like updating their super old lists).

Eb Na Ah, I have sort of the reverse. I configured NextDNS on my router and then implemented DNS DNAT redirection rules so all port 53 standard DNS requests to any server that is not my router are automatically redirected to my router with the resultant response seemingly coming from the expected server (that is, if the client sent it to 1.1.1.1, it comes back as if the response were from 1.1.1.1) and the client is none the wiser. I have furthermore blocked DNS over TLS requests with a firewall rule blocking the port.

More comprehensively, I’ve blocked most public DNS over HTTPS server’s IP addresses (besides my specific NextDNS servers) that I could find online. I used some publicly available DoH server lists that are fed into a script to get the resultant IPs, which said scripts pushes into a firewall rule on my router. I’m currently blocking about 7,000 IPs from returning DoH results to clients inside my network (excepting the firewall, which is where the script is run). I’ve set this up as a cron job on my router so that it will automatically update IP addresses as they change or as the feeder lists get new results due to additional servers being added to their lists.  It’s not perfect, but it’s fairly robust and blocks the obvious/easiest/most likely DoH providers while also blocking a lot of not so obvious/easiest/likely results as well. It’s almost certainly overkill but I was really getting annoyed with the number of requests devices on my network were making to random DNS servers I never set up for them to use. Plus, I want the requests to be logged so I have an audit trail.