DNS Filtering Best Practices with DOH now

Forums Service Issues Networking, Routing, Technology DNS Filtering Best Practices with DOH now

  • December 4, 2019 at 2:50 pm

    I’m using OpenDNS now and I want to switch to Clean Browsing. I think this looks like a better option. So…I get the general setup. I will get the monthly $5 subscription to get a specific IP address for Clean Browsing DNS servers to put on my router so when I hand out dhcp addresses to any devices on my local network they will go through the Clean Browsing DNS Servers. I also have a separate rule on my router that drops all other DNS traffic going through port 53 so if you’re NOT using the DNS servers that I prescribe then your internet doesn’t work. This forces all devices to be filtered as I choose. But…trying to get my head wrapped around DNS over Https (DOH).

    How can I now enforce a user who gets on my wifi and has DOH enabled in Firefox? I can’t see the dns traffic in DOH – it’s encrypted. Won’t this bypass all of my filtering? Even on the machines in my LAN/wifi – can’t a user just change the Firefox options to use DOH/Cloudfare? Wouldn’t that then circumvent all the DNS filtering again? I see that I can block Proxy’s and a lot of the DOH providers are put in that category and then I can block it that way, but wouldn’t that ONLY work if you’ve got Clean Browsing setup as your DOH provider? If my users change that provider (or don’t set the DOH provider to Clean Browsing at all) haven’t they completely circumvented my content filtering. Am I missing something? Is there a way to enforce using the clean browser DNS at the router??? I realize everyone’s router is different, but if I can’t see the traffic I can’t setup a specific rule to enforce it.

    I run the firewall where I work, and I do block DOH and DNS over TLS using Application Control, but that’s not cheap.  I have to purchase a subscription for my firewall to do it. This still may be the best option and good old fashioned eyeballs to monitor my kids, but my kids are teenagers and it would be helpful if anyone had a way I could make this work and enforce clean browsing DOH.  At this point I only have a Mac and a Chromebook so Firefox isn’t a problem really, but eventually, everybody will be doing this. Google Chrome and Windows are already jumping on board. We have to figure something out for the parents.

    January 1, 2020 at 10:02 pm

    I certainly share your grief. So long as you are blocking the “Proxy & VPN” category, you should be able to stop most of the DoH providers that I contributed in a separate post.

    DNS-over-HTTPS (DoH) providers not classified as "Proxy & VPN" or similar

    My understanding of how Firefox’s implementation of DoH works:

    1. FF looks at the DoH URL specified by the end user
    2. If the URL contains a domain name (Ex. mozilla.cloudflare-dns.com), and the setting “network.trr.mode”=2, FF sends a DNS query over port 53 to either:
      The DNS forwarder IP handed out by DHCP
      The DNS forwarder IP statically assigned by the user in the network settings on their device
    3. If the URL contains a domain name (Ex. mozilla.cloudflare-dns.com), and the setting “network.trr.mode”=3, FF grabs the IP from the setting “network.trr.bootstrapAddress” (effectively, a permanent cache)
    4. FireFox connects to the DoH server over HTTPS and verifies that the server’s HTTPS certificate is valid for the domain OR IP that was specified
    5. All subsequent DNS queries are forwarded to the DoH server privately over port 443 (HTTPS)

    By blocking outbound traffic to port 53 (DNS), you should be able to stop FireFox from getting the IP of the DoH server if it doesn’t already have it. That last part presents the most problems:

    • Some DoH providers have already gone about creating HTTPS certificates that allow you to access the service via their IP addresses without any certificate errors. A great example of this is CloudFlare. Unless you configure your firewall to block all traffic to, users will be able to specify this IP in their FireFox settings. Quad9 is another one. I haven’t seen any others just yet, but it is just a matter of time.
    • FireFox seems to cache the response back in step 2 above. This means that a mobile device could move to a network without CleanBrowsing enforced, cache the IP of the DoH provider in FF, and after the device moves back to your network, FF may be able to use the cached IP to send DoH queries without issue (bypassing the filter). I haven’t tested this, but it might work if FF expires the cache per the record’s TTL and the TTL happens to be rather lengthy.
    • The “network.trr.bootstrapAddress” setting allows end users to bypass the need to send any un-encrypted DNS traffic and effectively bypass all DNS filtering provided by CleanBrowsing

    The only effective means to block DoH without sacrificing privacy seems to be IP blacklisting. HTTPS filtering can help, but it will reduce user privacy and is hard to pull off in a home environment. Sadly, the CleanBrowsing app doesn’t have any IP blacklist capability to deal with this issue, so mobile users will get past the DNS filter unless you create your own VPN and “tether” them to your firewall using MDM policies.

    Some other ports you may want to block are 853 (DNS over TLS), 5053 (DNS over HTTPS Alternate used by CloudFlare), and 784 (DNS over QUIC).

    March 18, 2020 at 7:11 pm

    jhillini34, b32fc45f9641

    I would love a comprehensive list of DNS filtering best practices. Things like forcing client devices to use the router DNS, having separate DNS for parent and child devices, etc. How to use DNSMasq or IPTables effectively. The documentation is scattered out all across the internet and often incorrect or out of date. I used to use DD-WRT, but since my firmware is no longer maintained (kong), I am using Fresh Tomato now and still getting up to speed with it.

    • This reply was modified 3 years, 8 months ago by KingHolly.