Closed Gustavo-FS closed 1 year ago
no-usernames-left
commented
3 years ago some students using their cell phones use the custom NextDNS client and are able to bypass the security rules
Couldn't they just switch off Wi-Fi on their phones and achieve the same result without recourse on your part?
ChrisColotti
commented
3 years ago Unless you are controlling their phones, they can bypass NextDNS by turning off wiFi and using LTE connection. The only way to force NextDNS on all connections is to install the app on the phones, which being you don't own them isn't going to happen.
That being said the way around the router/wifi changes is to simply write a firewall rule to BLOCK all UDP/53 requests to ALL and then another one to only ALLOW UDP/53 to the nextDNS servers on your configuration. Then anything on wifi that changes the settings locally to 8.8.8.8 or anything else will still be blocked by a simple firewall rule at the gateway. I do not see this as a NextDNS feature/issue at all as it is easily solved by proper outbound FW rules.
BrianG61UK
commented
2 years ago The "invention" of DoH has made blocking using DNS, in a way that can't be worked around by your users, very difficult.
DoH was designed to let users resolve any DNS query they want, while not allowing anybody to see, modify or filter them. It does this well, which may be great for users, but it's absolutely terrible for sysadmins trying to force their users to behave themselves.
You need to block (or redirect) all outgoing traffic that was aimed at port 53 (normal DNS), port 784 (DoQ), port 853 (DoT) and, here's the hardest part, port 443 (https and DoH) but, in the case of port 443, block only when aimed at the IP address of any known DoH resolver.
You can do it only as well as your list of known DoH resolvers can keep up with all DoH resolvers known to your users.
Here are some lists to get you started: https://github.com/dibdot/DoH-IP-blocklists
Hello
I have the following scenario and would like help
We use Nextdns in a school solution as a way to guarantee parental control on OpenWrt routers, however we have identified a security problem in which users using the nextdns client on a Wi-Fi network are able to use customized settings and thus circumvent security rules.
Is there a way to force a subnet to use a custom configuration and block other rules
We currently work with the following rules
192.168.1.1/24 - Staff (Config 1) 192.168.2.1/24 - Laboratory (Config 2) 192.168.3.1/24 - Students (Config 3)
the configuration works well but some students using their cell phones use the custom NextDNS client and are able to bypass the security rules
What to do?