TechnitiumSoftware / DnsServer

Technitium DNS Server
https://technitium.com/dns/
GNU General Public License v3.0
4.47k stars 431 forks source link

DNS forwarders don't seem to be used, or something else? #955

Closed fone closed 1 month ago

fone commented 4 months ago

I am using a SaaS server called DNS Filter. You configure your block policies on there, and use the addresses they provide as your forwarders.

For most all devices on my network, going through Technitium to DNS Filter has the intended results, but... my FireTV is still permitting YouTube which I block on DNS Filter.

I've having a difficult time proving this, but it seems that if the response is not answered from DNS Filter, the FireTV keeps trying and Technitium queries for the answer elsewhere. What has led me to thing this, is I manually configured the FireTV to go directly to DNS Filter, bypassing Technitium and my block policies work. No youtube.

Again... my computer devices work as expected. Am I perhaps missing a setting somewhere?

ShreyasZare commented 4 months ago

Thanks for the post. This will need you to debug manually to find the actual issue. For that, I would recommend that you use the DNS Client tool which is available in the DNS server's admin panel and make test queries for the blocked domain names and see what results you get. You can then change the Server field in the DNS Client to the forwarder's IP address and run the same query then match both the results to understand if anything different is being answered.

You can also check the DNS server's cache from the Cache section on the panel and browse the blocked domain name in there. It will show you the records that are stored in cache and also the name servers from where they were fetched. This too would help you understand from where the answers are coming.

Do these tests and post test query output or cache data here if you need help with understanding that. If you do not wish to share here then send it to support@technitium.com.

Hemsby commented 4 months ago

I also noticed on my FireTV devices that by default or coding they also add 8.8.8.8. From my router I block 8.8.8.8, 8.8.4.4 and the correpsonding IPV6 records. Meaning the FireTV will now only use my Technitium DNS.

fone commented 4 months ago

I also noticed on my FireTV devices that by default or coding they also add 8.8.8.8. From my router I block 8.8.8.8, 8.8.4.4 and the correpsonding IPV6 records. Meaning the FireTV will now only use my Technitium DNS.

thanks, this is likely what is happening. its sorta tough to say with the limited view but how I resolved it was manually setting up the wifi connection on the firetv, much like you would if you had a hidden network. then manually specifiying the dns servers. (on my tv there is no option to only update dns). while doing this, the default settings recommended google. its quite possible the firetv uses google dns as a secondary set of addresses.

when looking at logs for this device in technitium, everything did come back blocked. beyond assumptions the only other thing to do would be wireshark but its working now and I don't care that much lol.

in short, it looks like this is more of a firetv thing.

ShreyasZare commented 4 months ago

It seems that FireTV is using Google DNS as secondary even when you manually configure your local DNS server IP addresses. So, sometimes it will block and sometimes it wont depending on which DNS it tries first.

It would be good to block Google DNS IP addresses at router like @Hemsby mentioned.