What's new

DNSFilter bypassed with Android (Pie) 9's Private DNS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

K.Arthur73018325

New Around Here
Under Android 9, using the 'Private DNS provider hostname' option*, under Private DNS, allows the bypassing of the Asuswrt-Merlin DNSFilter (/DNSFilter.asp).

*:under Android 9: Settings > Network & internet > Advanced > Private DNS > Private DNS provider hostname.
 
Under Android 9, using the 'Private DNS provider hostname' option*, under Private DNS, allows the bypassing of the Asuswrt-Merlin DNSFilter (/DNSFilter.asp).

*:under Android 9: Settings > Network & internet > Advanced > Private DNS > Private DNS provider hostname.
That means it doesn't use port 53, in which case there's nothing DNSFilter can do.

Sent from my P027 using Tapatalk
 
See, that's why I think DoH is a completely stupid idea from a technical point of view. It messes up with network architectures by reusing an assigned port to handle a completely different protocol.

I hope that idea dies in a fire, and sanity will prevail as people will focus more on DoT instead.
 
See, that's why I think DoH is a completely stupid idea from a technical point of view. It messes up with network architectures by reusing an assigned port to handle a completely different protocol.

I hope that idea dies in a fire, and sanity will prevail as people will focus more on DoT instead.

Apparently in this day and age sanity is a tight commodity :(
 
I hope that idea dies in a fire, and sanity will prevail as people will focus more on DoT instead.
Well there's some good news. If I'd actually bothered to spend more than 30 seconds reading that article I linked to :oops: I would have realised that it's DoT only, not DoH.
Configuring 1.1.1.1
Android Pie only supports DNS over TLS.

So, given that DoT uses port 853 by default perhaps @RMerlin and @john9527 might contemplate whether this port should be included in the DNSFilter rules together with port 53? Similar to what I had to do with QoS here. Or would that not be possible because you're effectively tampering with the traffic?
 
Or would that not be possible because you're effectively tampering with the traffic?
Have to think about it some more....but first thought is that it wouldn't work since the client thinks it's talking to one server, but in reality talking to a different server. My thinking is that this would break both DNSSEC and TLS encryption.
 
Have to think about it some more....but first thought is that it wouldn't work since the client thinks it's talking to one server, but in reality talking to a different server. My thinking is that this would break both DNSSEC and TLS encryption.

DNSSEC wouldn't be an issue, but TLS would be - the remote server would be unable to negotiate the TLS connection initiated by the client

Best that could be done IMHO is to take all clients that have a DNSFilter policy, and explicitly block port 853 for these, to ensure they cannot bypass their enforced DNS.

Eventually, if some of the servers offered by DNSFilter support DoT, they could also be used to enforce port 853 traffic through the selected server.
 
Best that could be done IMHO is to take all clients that have a DNSFilter policy, and explicitly block port 853 for these, to ensure they cannot bypass their enforced DNS.
Yes I was thinking along the same lines. It looks like Android P's "Automatic" mode will fall back to traditional DNS. And the DoT RFC suggests this is a valid course of action.
 
Under Android 9, using the 'Private DNS provider hostname' option*, under Private DNS, allows the bypassing of the Asuswrt-Merlin DNSFilter (/DNSFilter.asp).

*:under Android 9: Settings > Network & internet > Advanced > Private DNS > Private DNS provider hostname.

Sounds similar to what Cloudflare is doing with IOS (iPhone/iPad) with their 1.1.1.1 App - it's treated as a VPN, and can do either DNS over HTTPS or DNS over TLS
 
See, that's why I think DoH is a completely stupid idea from a technical point of view. It messes up with network architectures by reusing an assigned port to handle a completely different protocol.

I hope that idea dies in a fire, and sanity will prevail as people will focus more on DoT instead.

I would agree - but things are what they are...

There are valid reasons for both and against DoH and DoT... and for DNSSEC - sad to see that DNSCRYPT is likely the one without a chair when the music stops...
 
From what I've read, these new DNS protocols allow an application to define and use its own DNS server to resolve host names to any IP that the application wants it to. This is NOT a good thing from a malware perspective. :( I'm not sure how deep into the packets that the Merlin firmware can look, but I use Watchguard UTM devices at my client locations. In their configuration, I have the HTTP and HTTPS proxies set to block any traffic that has the response content type defined as "application/dns-message", so that it blocks any DNS traffic sent using those protocols.
 
From what I've read, these new DNS protocols allow an application to define and use its own DNS server to resolve host names to any IP that the application wants it to.
That doesn't seem much different from "normal" DNS. Just about every Android device I've owned (i.e. smart TVs, media boxes, phones, etc.) is full of hard-coded calls to 8.8.8.8.
 
That doesn't seem much different from "normal" DNS. Just about every Android device I've owned (i.e. smart TVs, media boxes, phones, etc.) is full of hard-coded calls to 8.8.8.8.
The difference is that the new protocols allow an app to define a DNS server that doesn't even use the global DNS and can define any port that it wants to. It could point to a DNS server that defines snbforums.com (or perhaps your banking site) to any IP address that it wants to. Is that possible using standard DNS? I don't pretend to know that much about the underpinnings of DNS, but what I've read about DoH and DoT led me to block them, mostly because I have to make certain that my clients data is protected to HIPAA standards. I also block ALL standard DNS servers on their networks except a few that are trusted. All other port 53 traffic is blocked. Yes, paranoia reigns supreme. ;)
 
The difference is that the new protocols allow an app to define a DNS server that doesn't even use the global DNS and can define any port that it wants to. It could point to a DNS server that defines snbforums.com (or perhaps your banking site) to any IP address that it wants to. Is that possible using standard DNS?
Yes, of course it is. An application can be written to use any port or server it wants, for whatever purpose, be that DNS or something else (assuming such a server/port exists). The Netflix app typically does this for it's DNS lookups. But just because one application is written that way doesn't mean it's somehow magically forcing other applications to do the same thing.

I don't pretend to know that much about the underpinnings of DNS, but what I've read about DoH and DoT led me to block them, mostly because I have to make certain that my clients data is protected to HIPAA standards. I also block ALL standard DNS servers on their networks except a few that are trusted. All other port 53 traffic is blocked. Yes, paranoia reigns supreme. ;)
But yes, there's the rub. With "old" DNS it was easy for you (or anybody else) to "hack it" by intercepting the traffic and forcing it to go to a server of your (or their) choosing. The end user would be none the wiser. With DoH the DNS requests are indistinguishable from any other HTTPS traffic so you can't "hack it" any more.
 
If people are willing to circumvent the DNS server, they will do it, one way or another, and there is not much you could do about that. E.g. through running their own dnscrypt server somewhere, with a non-standard port.
 
Or the old fashioned way: use a hosts file. OpenDNS, if you log into it, will query IPs for all websites, blocked or not. So one learns what he/she has to add to the hosts file.
 
DoT standard port is 853, which is what I'm intercepting.

However DoH uses standard HTTPS port, making it impossible to intercept - one of the many reasons I consider DoH to be a stupid idea - makes proper network management/security impossible to achieve. Yes, it provides a very nice backdoor for malware to bypass security systems when accessing a C&C remote server.
 
Similar threads
Thread starter Title Forum Replies Date
D Solved Windows doesn't resolve Android device hostnames? Asuswrt-Merlin 11

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top