DNS setting

[porfavorhelp]

How do I block anybody from bypassing my dns using merlin firmware even if they use a VPN?

 

[L&LD]

Use DNSFilter.

 

[Datalink]

DNSFilter will prevent a device from using a DNS address that does not match the DNS specified by the router. I don't believe it will do anything for a VPN, such as one that is running on a pc or cell phone. If you wanted to block the VPN, thats another matter altogether.

 

[Zastoff]

How do I block anybody from bypassing my dns using merlin firmware even if they use a VPN?

Cleanbrowsing-family server prevents some vpn's and proxy's.
A bypass prevent list can be added to for example Diversion and a ip-block list for skynet.
Nextdns also have options to prevent vpn's and other dns options.

 

[porfavorhelp]

I install nextdns in my router and configure the dnsfilter, but when try to input a dns on any device the router does not block it. Can you explain the way you do it that works?

 

[Zastoff]

I install nextdns in my router and configure the dnsfilter, but when try to input a dns on any device the router does not block it. Can you explain the way you do it that works?

Have you created a account at https://nextdns.io/ ?
On your account page you can enable under parental control

Block Bypass Methods​

And make sure you see this when you log in on the account also:

●All good!
This device is using NextDNS with this configuration.

NextDNS can be used with the in router DNS Privacy Protocol under WAN (DNS over TLS)
Server 1 Ip=45.90.28.0
TLS Hostname = found on your account page or under guides (router stubby)
Server 2 Ip=45.90.30.0
TLS Hostname = found on your account page or under guides (router stubby)
Also works with DNS-Filter
or
DNSCrypt-proxy v2 with DNS over HTTPS (server added as a static server, SDNS address can be found on nextdns account page)
Also works with DNS-Filter
or
NextDNS own installer with DNS over HTTPS
Don`t think it works with router DNS-Filter (will be ignored by nextdns installer) all devices on the network will use nextdns but it supports the use of several accounts.

Nextdns list of bypass block's

metadata/bypass-methods at master · nextdns/metadata

This repository contains the data behind our Security, Privacy and Parental Control features. - metadata/bypass-methods at master · nextdns/metadata

github.com

Similar lists can be added to scripts like Diversion or ip block lists to Skynet and the user can use whatever dns servers they like.

 

[RMerlin]

The only way to prevent someone from using a VPN to bypass things is to block that VPN provider itself - which will be problematic as most providers have hundreds of different servers available.

 

[Tech9]

Same for DNS-over-HTTPS. Some filtering DNS services or block lists know the DoT servers, but it's not guaranteed.

 

[porfavorhelp]

Have you created a account at https://nextdns.io/ ?
On your account page you can enable under parental control

Block Bypass Methods​

And make sure you see this when you log in on the account also:

●All good!
This device is using NextDNS with this configuration.

NextDNS can be used with the in router DNS Privacy Protocol under WAN (DNS over TLS)
Server 1 Ip=45.90.28.0
TLS Hostname = found on your account page or under guides (router stubby)
Server 2 Ip=45.90.30.0
TLS Hostname = found on your account page or under guides (router stubby)
Also works with DNS-Filter
or
DNSCrypt-proxy v2 with DNS over HTTPS (server added as a static server, SDNS address can be found on nextdns account page)
Also works with DNS-Filter
or
NextDNS own installer with DNS over HTTPS
Don`t think it works with router DNS-Filter (will be ignored by nextdns installer) all devices on the network will use nextdns but it supports the use of several accounts.

Nextdns list of bypass block's

metadata/bypass-methods at master · nextdns/metadata

This repository contains the data behind our Security, Privacy and Parental Control features. - metadata/bypass-methods at master · nextdns/metadata

github.com

Similar lists can be added to scripts like Diversion or ip block lists to Skynet and the user can use whatever dns servers they like.

Which one is better. Install the nextdns cli on the router? or do the dns settings that you just mentioned?

 

[Zastoff]

Which one is better. Install the nextdns cli on the router? or do the dns settings that you just mentioned?

I would use routers dns over tls or dnscrypt installer, nextdns own client only if i need to use several accounts.
Important that you get it working first and that you see it is working the way you like.
I made a guide for dnscrypt installer, Not sure it works exactly as written on that post any longer, The installer has been updated/evolved since then.
(Don`t think the installer auto detects nextdns server any longer, choose static and add SDNS address from NextDNS account page)
Easy to change and test the different clients, the install process and setups is pretty fast for them all when you have the account.
Hope this help's

 

[porfavorhelp]

I would use routers dns over tls or dnscrypt installer, nextdns own client only if i need to use several accounts.
Important that you get it working first and that you see it is working the way you like.
I made a guide for dnscrypt installer, Not sure it works exactly as written on that post any longer, The installer has been updated/evolved since then.
(Don`t think the installer auto detects nextdns server any longer, choose static and add SDNS address from NextDNS account page)
Easy to change and test the different clients, the install process and setups is pretty fast for them all when you have the account.
Hope this help's

Thank you for your reply, I have other question since I have nextdns installed, and doing the dns job. does settings up a dnsfilter for some devices on my network work? or this could do conflict with nextdns client?

 

[Zastoff]

Thank you for your reply, I have other question since I have nextdns installed, and doing the dns job. does settings up a dnsfilter for some devices on my network work? or this could do conflict with nextdns client?

NextDNS own installer with DNS over HTTPS
Don`t think it works with router DNS-Filter (will be ignored by nextdns installer) all devices on the network will use nextdns but it supports the use of several accounts.

Would use the in router DNS over TLS or DNSCrypt installer with NextDNS if DNS-Filter should be used for some devices.

 

[porfavorhelp]

Thank very much Zastoff for the information!

 

[Morris]

You should be able to block most VPN connections by blocking all of this:

• PPTP (Point-to-Point Tunneling Protocol) – This protocol uses port 1723 TCP.
• L2TP (Layer Two Tunneling Protocol) – This protocol uses port 1701 TCP, Port 500 UDP, and port 4500 UDP.
• IPSec (Internet Protocol Security) – This protocol uses port 500 UDP and ports 4500 UDP.
• STP (Secure Socket Tunneling Protocol) – This protocol uses port 443 TCP.
• OpenVPN – This protocol uses port 1194 TCP/UDP and port 443 TCP.

Morris

 

[Tech9]

OpenVPN – This protocol uses port 1194 TCP/UDP and port 443 TCP.

Ports used could be different, but I quoted the OpenVPN only as an example. What happens when you block 443?

 

[Morris]

Ports used could be different, but I quoted the OpenVPN only as an example. What happens when you block 443

Don't block https. Just block 1194/both. That should prevent setup

 

[Tech9]

That should prevent setup

1. NordVPN is a popular public VPN provider. If you set the connection to TCP, it uses port 443. How are you going to block it?
2. A friend runs VPN server on port 1032 (as an example, could be different) and I can connects to it from your network, no problem.

 

[Morris]

1. NordVPN is a popular public VPN provider. If you set the connection to TCP, it uses port 443. How are you going to block it?
2. A friend runs VPN server on port 1032 (as an example, could be different) and I can connects to it from your network, no problem.

Via IP or use a 4th generation firewall

 

[Tech9]

With home routers you have to use your luck. If the user is savvy enough, he will go through.

 

[Morris]

With home routers you have to use your luck. If the user is savvy enough, he will go through.

What, you don't want to pay $60,000 to block them :-}