request to add list

[Tomatoide]

https://raw.githubusercontent.com/nextdns/metadata/master/parentalcontrol/bypass-methods (also please add yogavpn.com) https://raw.githubusercontent.com/GeorgeForse/VPN-List/master/list.txt https://raw.githubusercontent.com/nextdns/cname-cloaking-blocklist/master/domains

[ragibkl]

Hi @Tomatoide ,

Can I know a bit more about these list? What do they do?

[Tomatoide]

Sure, the first two block bypassing methods of dns (proxies, vpns), the third one blocks advanced trackers that use cname cloaking to bypass adblock tools

[ragibkl]

Hi @Tomatoide ,

Sorry for the late reply. Here is my opinion on this matter. I've put a lot of thought into this.

I don't like to block the bypassing methods, such as proxies and vpns:

1. I believe that there are legitimate use cases for VPNs, and proxies. While our DNS servers exists to help users block certain types of content, I think we should not block legitimate use cases.
2. I believe the user should be given the choice of opting-in/out of DNS adblock. While I do recommend to make it the default for your home router, I believe it is only a matter of convenience, rather than enforcement. Users should be free to change their Laptop/Phone DNS settings. There are tools available for that purpose.
3. I believe it is not practical to block user from using alternative DNS or VPNs. We can probably block outgoing port 53 on router to prevent usage of alternative DNS servers. However, there are new protocols such as DOH which uses standard port 443. There are ways that users can use an alternative DNS such as local VPN DNS overrides (DNS66 app etc...). Even if we block the VPN sites, there are ways around it.
4. I believe that the Adblock DNS should only censor the Internet as a matter of education and convenience. We can prevent a lot of mishaps. Example, some innocent looking web search terms by a 7 year old, can turn out some surprising NSFW contents. The Adblock DNS prevents those mishaps by nudging the 7-year-old away. So we don't let NSFW content block our kids' use of the internet.
5. I believe that if a user is old enough to figure out how to use VPNs and DNSs overrides to our Adblock DNS setup, they are probably old enough to self-regulate for the NSFW content within reason.

With that being said, I think we should not proceed with the VPN lists. I'm open to discuss on this matter, so feel free to provide counter-arguments. Perhaps I am wrong on this subject and someone can correct me as well.

For now, I'll apply the cname cloaking list.

[ragibkl]

Hi @Tomatoide

I've applied the following:

• https://raw.githubusercontent.com/nextdns/cname-cloaking-blocklist/master/domains

[Tomatoide]

Hi @ragibkl and thanks again for your valuable work,

I read your comment and I mean, you are not wrong, blocking vpns is not a simple task at all, and by using a blocklist you are not completely or reliably blocking vpns, but as you said, it's a barebone measure to prevent innocent kids from discovering these loopholes at the first place, it's really the whole point of dns parental control at the end of the day, say 50% see a random vpn they downloaded didn't work and they give up, that's a win in my book, again I know a dns based blocklist is not enough and can be easily bypassed, but something is better than nothing in my opinion it's not a all or none approach in this case.

[ragibkl]

Hi @Tomatoide ,

Sure, let's try this for now. I'll make the changes in few hours.

[ragibkl]

Added at https://github.com/ragibkl/adblock-dns-server/commit/0a31ec69dc203995763f725d72738f4007d98375,

Unfortunately, https://raw.githubusercontent.com/nextdns/metadata/master/parentalcontrol/bypass-methods, may not work as well. The file has the following:

# Blocked domains (and their subdomains) when enabling Parental Control -> Block Bypass Methods.
# Encrypted DNS

The way I'm parsing it right now, is it will only blacklist an exact match. I don't support auto subdomain blocking just yet.

But, it should work for now at least.

[Tomatoide]

Auto blocking subdomains could create a lot of false positives I think (except maybe www because it can bypass filtering), so this should be good for now, thank you very much 👍