DNS Director

[bennor]

Ok above is the list of all the DOH servers.
How to import the list into my router? Or I need to type in 1 by 1 by?

Generally, I assume the most common way to use the OneOffdallas DoHServers list is to import it into AdGuard Home or Pi-Hole if one is using either of those two programs. Or if one is using a similar DNS request filter/block program on a client machine or firewall (for example PFSense and the pfBLocker-NG package) that has the capability to import/use such blocking lists.

 

[liukuohao]

Generally, I assume the most common way to use the OneOffdallas DoHServers list is to import it into AdGuard Home or Pi-Hole if one is using either of those two programs. Or if one is using a similar DNS request filter/block program on a client machine or firewall (for example PFSense and the pfBLocker-NG package) that has the capability to import/use such blocking lists.

Thanks, I googled and found this information about importing in bulk:

pfSense 2.x Cookbook

Bulk importing aliases To import a list of multiple IP addresses, do the following: Navigate to Firewall | Aliases. Click on the Import button to bulk import aliases. Enter … - Selection from pfSense 2.x Cookbook [Book]

www.oreilly.com

I have pfSense running at home with DNS forwarding enabled.
This will forward all DNS requests to my Adguard Home Docker container running on my UnRaid server.
Now, I will test, how can my pfSense firewall LAN rule block DOH queries initiated from the LAN network.

 

[Tech9]

You don't need AdGuard Home. pfBlockerNG package for pfSense can do both IP and DNS filtering.

Packages — pfBlocker-NG Package | pfSense Documentation

docs.netgate.com

 

[ToonTonic]

Hi,

I am not a network guru here; I am just trying to use the functions of my Asus router to the fullest,
in any possible way.

I have downloaded the AsusWRT manual from the Asus website.
and found that there is no reference or documentation about DNS Director.

Reference: https://github.com/RMerl/asuswrt-merlin.ng/wiki/DNS-Director
The link above has some brief documentation but does not show the real nitty gritty details
of its configuration.

So naturally, I just want to ask the community: has anyone tried this DNS Director feature before?

I have tried & tinkered over the weekends, and I have determined the following findings to be true.
If anyone finds my statement to be false, Please feel free to correct me by showing
screenshot of the findings. For me, I have prepared enough screenshots to back up
my investigation.

1) DNS Director: What is the purpose?

DNS Director overrides the router's WAN DNS settings when activated and properly configured.
[DNS Director, when enable, will just take over "the whole ship he is the captain"]

2) DNS Director: What is the purpose?

You can have a group of LAN devices send DNS queries to DNS A.
And you can have another group of LAN devices send DNS queries to DNS B.
DNS A = less restrictive for a grown-up adult to access the internet
DNS B is very restrictive for underage kids to access the internet.

3) Let's say DNS B (very restrictive) is configured to be used in the router's WAN setting.
A smart underage user went to the Windows TCP/IP properties and changed its
DNS setting to DNS A (less restrictive).

Under this condition, DNS Director has no way to intercept and force all the DNS queries back to DNS B.
Hence, the user has successfully circumvented the restriction by simply changing the DNS server.

4) Presumably, all underage users do not have access to a VPN.
How to prevent underage users from surfing the internet to adult sites is actually not by activating DNS Director.
Here are the following steps:

(A) Diable DNS Director.
(B) Use CleanBrowser Family DNS servers (or any free DNS servers of your choice) at the WAN setting.
(C) Go to Firewall >> Network Services Filter >> Create a deny list >> Add 2 lines to block traffic TCP and UDP port = 53
Done.

The above 3 steps will stop any user trying to access restrictive website. Once the DNS setting is tampered with,
Accessing the internet will be blocked.

Thank you.

Sorry to pull up an old thread, but did you find an answer that worked for you in the end?

I have the NextDNS CLI installed on my ASUS Merlin router, and would love to find a means to block people from changing a windows setting, or android private DNS setting etc just to get around the NextDNS profile configured on the router (Them promiscuous kids eh?!?) that blocks things like you know what, and more.

Does anybody have a suggestion to achieve such a thing?

 

[drinkingbird]

Sorry to pull up an old thread, but did you find an answer that worked for you in the end?

I have the NextDNS CLI installed on my ASUS Merlin router, and would love to find a means to block people from changing a windows setting, or android private DNS setting etc just to get around the NextDNS profile configured on the router (Them promiscuous kids eh?!?) that blocks things like you know what, and more.

Does anybody have a suggestion to achieve such a thing?

If someone configures DOH on their PC or browser you can't stop them other than installing a blacklist of known DNS servers, but that blacklist will never be 100%. Even with a blacklist, all they have to do is connect to a VPN to bypass your DNS, so then you'd have to blacklist known VPNs which is an even harder task as they change their IPs daily specifically to defeat blacklists.

Your best hope is to either control and punish the users of the PCs should you catch them bypassing it, or lock the PCs down so they can't change those settings.

DNS director helps, but it is not a 100% solution.

You can utilize parental controls in conjunction with DNS Director bug again, a VPN can bypass that.