KingHolly

Your Replies

  • January 28, 2021 at 5:58 am

    Hello, I searched the Play Store and I did not find the app. Has it been released yet? Or was it removed from the Play Store for any reason? Thanks.

    December 29, 2020 at 11:51 pm

    @aleppo
    My reply seemed to not go through. It is possible it will still go through eventually, so apologies for any double posts.

    Here is a tip for Android users out there. A much more robust solution and not too difficult to setup. The approach is to go the route of device policy management. In this instance you do not need any enterprise hosted solutions, but only the Test DPC app (https://github.com/googlesamples/android-testdpc). It can be downloaded from the Play Store. It is basically an app provided by Google to help developers see how their apps work in the context of a restricted device. It is also an app to showcase the latest in Android Enterprise management.

    Steps Summary:

    Install and provision Test DPC as a device owner. This will give you more control over restrictions. If you do not want to wipe your device before provisioning, you can use adb to programmatically set Test DPC as device owner. See the GitHub link above for instructions.
    Set profile settings within Test DPC app as desired
    Lock usage of Test DPC app through a robust app locker. This step insures your settings made within Test DPC cannot be changed.The app locker needs to to prevent the user from removing it as an admin app after that access has been granted. Truple Web Filter for example prevents this change once the filter has been enabled.
    As you can see from the list of some of the useful settings below, this approach is more akin to hardening than a simple app locker app that likely has many workarounds. Big tech companies obviously are addressing parental controls as an afterthought, but where they are focusing their efforts is on enterprise. That is where the money is. Fortunately for us, many of the features developed for enterprise are exactly what a parent or individual is looking for in order to harden their devices against unwanted content and workarounds. Now the trick is for us consumers to voice our desire to have some of these features packaged in a more consumer friendly format. We may never see that request fulfilled, but tech savvy individuals can make due with using enterprise technologies in a consumer/home environment.

    An additional approach well beyond the scope of the Test DPC app is for those that are SUPER tech savvy would be to fork your own version of the Android Open Source Project (AOSP). Many of the enterprise configurations can be baked directly into the operating system through the use of configuration files. This would provide consumers a potentially simpler way to get devices that are hardened out of the box against undesired content as well as prevent circumvention of restrictions which come in a variety of ways unknown to most parents and individuals. Just some musings and tips here!

    Here is a list of some useful settings to use in the Test DPC app (not their exact names):

    Block UNinstallation of select apps
    block INstallation of any app
    block INstallation of third party apps and APKs
    enforce private DNS settings (CleanBrowsing)
    block System WebView if you use want to use a restricted browser without workarounds (installing a new WebView is possible, but technically challenging)
    block VPN usage
    disable ADB debugging and developer settings
    prevent factory resetting of device
    block app stores (not necessarily needed if you already block installation of apps)
    prevent multi user support and new user creation
    disallow safe mode
    suspend or hide certain apps you want to keep on the device but only use temporarily when unlocking restrictions through Test DPC.

    December 29, 2020 at 11:50 pm

    @safe_browsing_questions
    Yes, it will work over both WiFi and cell.

    Below is a comment I made on another post that summarizes ways to enforce this setting in case that is one of your use cases:

    Regarding enforcing DNS on Android, this is likely overkill on your question, but I typed it out elsewhere and figured it would be useful here.

    Here is a tip for Android users out there. A much more robust solution and not too difficult to setup. The approach is to go the route of device policy management. In this instance you do not need any enterprise hosted solutions, but only the Test DPC app (https://github.com/googlesamples/android-testdpc). It can be downloaded from the Play Store. It is basically an app provided by Google to help developers see how their apps work in the context of a restricted device. It is also an app to showcase the latest in Android Enterprise management.

    Steps Summary:

    Install and provision Test DPC as a device owner. This will give you more control over restrictions. If you do not want to wipe your device before provisioning, you can use adb to programmatically set Test DPC as device owner. See the GitHub link above for instructions.
    Set profile settings within Test DPC app as desired
    Lock usage of Test DPC app through a robust app locker. This step insures your settings made within Test DPC cannot be changed.The app locker needs to to prevent the user from removing it as an admin app after that access has been granted. Truple Web Filter for example prevents this change once the filter has been enabled.
    As you can see from the list of some of the useful settings below, this approach is more akin to hardening than a simple app locker app that likely has many workarounds. Big tech companies obviously are addressing parental controls as an afterthought, but where they are focusing their efforts is on enterprise. That is where the money is. Fortunately for us, many of the features developed for enterprise are exactly what a parent or individual is looking for in order to harden their devices against unwanted content and workarounds. Now the trick is for us consumers to voice our desire to have some of these features packaged in a more consumer friendly format. We may never see that request fulfilled, but tech savvy individuals can make due with using enterprise technologies in a consumer/home environment.

    An additional approach well beyond the scope of the Test DPC app is for those that are SUPER tech savvy would be to fork your own version of the Android Open Source Project (AOSP). Many of the enterprise configurations can be baked directly into the operating system through the use of configuration files. This would provide consumers a potentially simpler way to get devices that are hardened out of the box against undesired content as well as prevent circumvention of restrictions which come in a variety of ways unknown to most parents and individuals. Just some musings and tips here!

    Here is a list of some useful settings to use in the Test DPC app (not their exact names):

    Block UNinstallation of select apps
    block INstallation of any app
    block INstallation of third party apps and APKs
    enforce private DNS settings (CleanBrowsing)
    block System WebView if you use want to use a restricted browser without workarounds (installing a new WebView is possible, but technically challenging)
    block VPN usage
    disable ADB debugging and developer settings
    prevent factory resetting of device
    block app stores (not necessarily needed if you already block installation of apps)
    prevent multi user support and new user creation
    disallow safe mode
    suspend or hide certain apps you want to keep on the device but only use temporarily when unlocking restrictions through Test DPC.

    December 29, 2020 at 11:41 pm

    @gibsontroy1997
    You can also see my reply on a forum post on this topic. The topic of the post is iOS, but someone asked me about Android and I responded here: https://community.cleanbrowsing.org/topic/locking-down-ios-to-prevent-dns-changes/page/2/#post-6030

    December 29, 2020 at 11:39 pm

    @hamoars
    Regarding enforcing DNS on Android, this is likely overkill on your question, but I typed it out elsewhere and figured it would be useful here.

    Here is a tip for Android users out there. A much more robust solution and not too difficult to setup. The approach is to go the route of device policy management. In this instance you do not need any enterprise hosted solutions, but only the Test DPC app (https://github.com/googlesamples/android-testdpc). It can be downloaded from the Play Store. It is basically an app provided by Google to help developers see how their apps work in the context of a restricted device. It is also an app to showcase the latest in Android Enterprise management.

    Steps Summary:

    1. Install and provision Test DPC as a device owner. This will give you more control over restrictions. If you do not want to wipe your device before provisioning, you can use adb to programmatically set Test DPC as device owner. See the GitHub link above for instructions.
    2. Set profile settings within Test DPC app as desired
    3. Lock usage of Test DPC app through a robust app locker. This step insures your settings made within Test DPC cannot be changed.The app locker needs to to prevent the user from removing it as an admin app after that access has been granted. Truple Web Filter for example prevents this change once the filter has been enabled.

    As you can see from the list of some of the useful settings below, this approach is more akin to hardening than a simple app locker app that likely has many workarounds. Big tech companies obviously are addressing parental controls as an afterthought, but where they are focusing their efforts is on enterprise. That is where the money is. Fortunately for us, many of the features developed for enterprise are exactly what a parent or individual is looking for in order to harden their devices against unwanted content and workarounds. Now the trick is for us consumers to voice our desire to have some of these features packaged in a more consumer friendly format. We may never see that request fulfilled, but tech savvy individuals can make due with using enterprise technologies in a consumer/home environment.

    An additional approach well beyond the scope of the Test DPC app is for those that are SUPER tech savvy would be to fork your own version of the Android Open Source Project (AOSP). Many of the enterprise configurations can be baked directly into the operating system through the use of configuration files. This would provide consumers a potentially simpler way to get devices that are hardened out of the box against undesired content as well as prevent circumvention of restrictions which come in a variety of ways unknown to most parents and individuals. Just some musings and tips here!

    Here is a list of some useful settings to use in the Test DPC app (not their exact names):

    • Block UNinstallation of select apps
    • block INstallation of any app
    • block INstallation of third party apps and APKs
    • enforce private DNS settings (CleanBrowsing)
    • block System WebView if you use want to use a restricted browser without workarounds (installing a new WebView is possible, but technically challenging)
    • block VPN usage
    • disable ADB debugging and developer settings
    • prevent factory resetting of device
    • block app stores (not necessarily needed if you already block installation of apps)
    • prevent multi user support and new user creation
    • disallow safe mode
    • suspend or hide certain apps you want to keep on the device but only use temporarily when unlocking restrictions through Test DPC.
    December 29, 2020 at 11:26 pm

    @anaknipedro3
    I am guessing you were meaning to link to https://cleanbrowsing.org/articles/stop-dns-change-on-network A useful article for sure.

    December 29, 2020 at 11:24 pm

    @hamoars
    You should be able to see a way to add a VPN configuration within Apple Configurator 2. The trick is creating the VPN in Digital Ocean or something like that and than figuring out what the correct values are that you need to enter into the .mobileconfig file. I had to create the file within Apple Configurator 2 and then edit the file manually within a text editor if I am not mistaken. You can see a sample of my code below. I tried to remove any passwords or unique identifiers within it. This VPN is no longer active however, so there is nothing to connect to. Note that you will need to add the configuration for both the cellular and WiFi connections. You will also need to make sure you have added your certificates to the profile. This might have been the manual copy and paste step that I had to do. Even having the right encryption methods selected is important. This is super finicky, and even once I had it connected right, I would have intermittent connection issues and problems with the Apple Watch. I hope this helps!

    
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    	<key>ConsentText</key>
    	<dict>
    		<key>default</key>
    		<string>Lock and load!</string>
    	</dict>
    	<key>PayloadContent</key>
    	<array>
    		<dict>
    			<key>AlwaysOn</key>
    			<dict>
    				<key>AllowAllCaptiveNetworkPlugins</key>
    				<true/>
    				<key>AllowCaptiveWebSheet</key>
    				<true/>
    				<key>AllowedCaptiveNetworkPlugins</key>
    				<array/>
    				<key>ServiceExceptions</key>
    				<array>
    					<dict>
    						<key>Action</key>
    						<string>Allow</string>
    						<key>ServiceName</key>
    						<string>CellularServices</string>
    					</dict>
    					<dict>
    						<key>Action</key>
    						<string>Allow</string>
    						<key>ServiceName</key>
    						<string>VoiceMail</string>
    					</dict>
    					<dict>
    						<key>Action</key>
    						<string>Allow</string>
    						<key>ServiceName</key>
    						<string>AirPrint</string>
    					</dict>
    				</array>
    				<key>TunnelConfigurations</key>
    				<array>
    					<dict>
    						<key>AuthenticationMethod</key>
    						<string>Certificate</string>
    						<key>CertificateType</key>
    						<string>ECDSA384</string>
    						<key>ChildSecurityAssociationParameters</key>
    						<dict>
    							<key>DiffieHellmanGroup</key>
    							<integer>20</integer>
    							<key>EncryptionAlgorithm</key>
    							<string>AES-256-GCM</string>
    							<key>IntegrityAlgorithm</key>
    							<string>SHA2-512</string>
    							<key>LifeTimeInMinutes</key>
    							<integer>1440</integer>
    						</dict>
    						<key>DeadPeerDetectionRate</key>
    						<string>Medium</string>
    						<key>DisableMOBIKE</key>
    						<integer>0</integer>
    						<key>DisableRedirect</key>
    						<false/>
    						<key>EnableCertificateRevocationCheck</key>
    						<integer>0</integer>
    						<key>EnableFallback</key>
    						<integer>0</integer>
    						<key>EnablePFS</key>
    						<false/>
    						<key>IKESecurityAssociationParameters</key>
    						<dict>
    							<key>DiffieHellmanGroup</key>
    							<integer>20</integer>
    							<key>EncryptionAlgorithm</key>
    							<string>AES-256-GCM</string>
    							<key>IntegrityAlgorithm</key>
    							<string>SHA2-512</string>
    							<key>LifeTimeInMinutes</key>
    							<integer>1440</integer>
    						</dict>
    						<key>Interfaces</key>
    						<array>
    							<string>Cellular</string>
    							<string>WiFi</string>
    						</array>
    						<key>LocalIdentifier</key>
    						<string>phone@067be78f-ec27-5a65-bc67-7656c33762b7.algo</string>
    						<key>NATKeepAliveInterval</key>
    						<integer>110</integer>
    						<key>NATKeepAliveOffloadEnable</key>
    						<false/>
    						<key>PayloadCertificateUUID</key>
    						<string>934D5FC7-517C-502B-A34F-F6A54C14903E</string>
    						<key>ProtocolType</key>
    						<string>IKEv2</string>
    						<key>RemoteAddress</key>
    						<string>123.125.15.56</string>
    						<key>RemoteIdentifier</key>
    						<string>123.125.15.56</string>
    						<key>ServerCertificateIssuerCommonName</key>
    						<string>123.125.15.56</string>
    						<key>UseConfigurationAttributeInternalIPSubnet</key>
    						<integer>0</integer>
    					</dict>
    				</array>
    			</dict>
    			<key>IPv4</key>
    			<dict>
    				<key>OverridePrimary</key>
    				<integer>0</integer>
    			</dict>
    			<key>PayloadDescription</key>
    			<string>Configures VPN settings</string>
    			<key>PayloadDisplayName</key>
    			<string>VPN</string>
    			<key>PayloadIdentifier</key>
    			<string>com.apple.vpn.managed.B4147587-50D8-46CE-B105-36EAB71460AC</string>
    			<key>PayloadType</key>
    			<string>com.apple.vpn.managed</string>
    			<key>PayloadUUID</key>
    			<string>B4147953-50D8-46CE-B890-36EAB71432AC</string>
    			<key>PayloadVersion</key>
    			<integer>1</integer>
    			<key>Proxies</key>
    			<dict>
    				<key>HTTPEnable</key>
    				<integer>0</integer>
    				<key>HTTPSEnable</key>
    				<integer>0</integer>
    			</dict>
    			<key>UserDefinedName</key>
    			<string>AlgoVPN algo IKEv2</string>
    			<key>VPNType</key>
    			<string>AlwaysOn</string>
    			<key>VendorConfig</key>
    			<dict/>
    		</dict>
    		<dict>
    			<key>Password</key>
    			<string>123Password</string>
    			<key>PayloadCertificateFileName</key>
    			<string>phone.p12</string>
    			<key>PayloadContent</key>
    			<data>
    			mF6GxlzFctf537
    			ZdkQz06OWwIwBp0rP3Mp0LbiXfpThGqWFl+/l8l7LfKk7t2cgBb
    			d5C98kxHt4iI8n/23487502394780394875034298S2rO/XHtHC
    			eU9oIrIBjLKNFj2h6O/SN10mxP0rhbylFAz0uAcicu+GgfQtSLhH
    			NXx1gTA8F2j0eV4566754674567645745674565vunb5hci5j1SB
    			iXeovfLzk0k0pw7TDI5WAS6DrwZuxNXrSQj6NKIcpAe5x/3+BLNL
    			eU7ql7IK+xwT6N
    			</data>
    			<key>PayloadDescription</key>
    			<string>Adds a PKCS#12-formatted certificate</string>
    			<key>PayloadDisplayName</key>
    			<string>algo</string>
    			<key>PayloadIdentifier</key>
    			<string>com.apple.security.pkcs12.434D5FA7-516C-672B-A74F-F6A32C14903E</string>
    			<key>PayloadType</key>
    			<string>com.apple.security.pkcs12</string>
    			<key>PayloadUUID</key>
    			<string>934D5FA7-516C-592B-A74F-F6A34C14678E</string>
    			<key>PayloadVersion</key>
    			<integer>1</integer>
    		</dict>
    		<dict>
    			<key>PayloadCertificateFileName</key>
    			<string>ca.crt</string>
    			<key>PayloadContent</key>
    			<data>
    			MkpsTWpKbUxXVmpNamN0TldFNE9DMWlZelkzCkxUYzJORFJqTXpN
    			M05qSmlOeTVoYkdkdk1DdUJLVEEyTjJKbE1qSm1MV1ZqTWpjdE5X
    			RTRPQzFpWXpZM0xUYzIKTkRS234324234234234234JHZHZNQ0tI
    			SUNZRXFJQUFBZ0RRQUFBQUFDRzZJQUgvLy8vLy8vLy8vLy8vLy8v
    			LwovLy8vTUFzR0Ex12341234123412343434CZ2dxaGtqT1BRUURB
    			Z05vQURCbEFqQW56UXk0Z0xlQ2xqOUF0cUo4CmYwV29xUjFubnFR
    			VmxHZTF6dUhEUXNFSWc2S2lCRjhkRTBsMHdZSTdWeVAyQ1RzQ01R
    			Q0hNQmRTS02342342341gvdldBSXFLRXFpbzR3
    			OEh6a3Y2eW9PUUZVSnhBc2grNXRSQUp4V0N3PQotLS0tLUVORCBD
    			RVJUSUZJQ234234234234
    			</data>
    			<key>PayloadDescription</key>
    			<string>Adds a CA root certificate</string>
    			<key>PayloadDisplayName</key>
    			<string>algo</string>
    			<key>PayloadIdentifier</key>
    			<string>com.apple.security.root.E82D1123-2334-5FA1-BD5D-123750EC575A</string>
    			<key>PayloadType</key>
    			<string>com.apple.security.root</string>
    			<key>PayloadUUID</key>
    			<string>E82D1BE4-1234-5FA1-BD5D-123750EC575A</string>
    			<key>PayloadVersion</key>
    			<integer>1</integer>
    		</dict>
    	</array>
    	<key>PayloadDisplayName</key>
    	<string>iPhone 6s Profile</string>
    	<key>PayloadIdentifier</key>
    	<string>mac15917.123B8D1B-A29C-48F6-AFA8-123F56AB9250</string>
    	<key>PayloadOrganization</key>
    	<string>Family Organization</string>
    	<key>PayloadRemovalDisallowed</key>
    	<true/>
    	<key>PayloadType</key>
    	<string>Configuration</string>
    	<key>PayloadUUID</key>
    	<string>1234973F-0BF2-49EE-9F75-1239C70FB1DF</string>
    	<key>PayloadVersion</key>
    	<integer>1</integer>
    </dict>
    </plist>
    
    December 29, 2020 at 11:07 pm

    @clintonbean,
    I mostly did not post the steps because I did not want others learning how to do it, but it is super easy. Maybe 3 or 4 taps on the screen. It is not toggling off the VPN that disables it. It will pop back on. However, if you click the small “i” info button circle somewhere within the VPN settings, you should get to a menu that asks you if you want to remove the VPN profile. The user is then able to delete the VPN profile completely. The exact steps are hazy in my mind since I have been on Android for a long time, but if Apple has not updated this since last I checked, it should still be super easy to do.

    December 29, 2020 at 10:55 pm

    @Thiago
    I am guessing it might have something to do with the field in CleanBrowsing that asks for you to enter your public IP address. CleanBrowsing uses this to identify where the traffic is coming from and what to filter. I remember having an issue with this myself. I am sure CB support will help you best here, but you might want to look at this link: https://community.cleanbrowsing.org/knowledge-base/update-your-public-ip-on-cleanbrowsing/

    July 16, 2020 at 5:46 am

    DNSCloak can actually be easily disabled in the same way that the iOS CleanBrowsing app can. From the VPN settings. It is a limitation of iOS. The only way currently is to use a configuration profile on a supervised device. Current approaches by accountability apps are to send an alert when the VPN is disabled. I have switched to Android and have been very happy so far with the capabilities of enforcing DNS etc.

    June 27, 2020 at 10:11 pm

    Looks like you are right. No clear way to change with DNS for now. I wonder how CleanBrowsing determines NSFW Reddit pages in order to block images and GIFs on them. I would think more could be blocked in those instances to render those pages inaccesible.

    June 25, 2020 at 7:33 am

    My theory is that NSFW Reddit pages are only accessible if you are logged in. At least that is what I have read. However, it seems the login page is not targetable for DNS blocks without blocking Reddit itself. Maybe this will spark other ideas.

    Ideally Reddit had some sort of safe mode like YouTube etc. Would love to hear about any other options and approaches to a Reddit safe mode.

    June 25, 2020 at 4:40 am

    I am afraid to say this is no small task. Your best option is to use configuration profiles. I suggest setting them up through Apple Configurator 2 on a Mac. Otherwise you would have to tinker around with the XML syntax of the profiles. You will want to set the device as a supervised device to have the most control. That requires wiping the device I believe.

    Once you have a supervised device there are some great restriction settings for app and website whitelists: prevention of installing or removing configuration profiles, prevention of Erase All Content and Settings. You can prevent installation of VPNs.

    Now to your question, unfortunately, the only current way to force DNS settings on WiFi AND Cell is to implement an IKEV2 VPN on the iPhone and force it through the configuration profile. This is called an Always On VPN. These cannot be uninstalled or toggled off in any way. Don’t get them confused with the auto connect VPNs. What is annoying is that no VPN services I found out there had an IKEV2 profile that I could configure on the iPhone. I ended up creating my own and hosting it on Digital Ocean for about $5 a month. Definitely a pain. Especially for anyone not experienced with tech. Now, what is super annoying is that I had issues with WiFi calling and connection to an Apple Watch.

    Long story short, Apple does not provide the kind of customization that is needed to create a properly restricted device. They don’t even allow app developers that customization either. Even pushing Apple’s configuration profiles to the limit, you are still going to run into technical issues and lack of documentation. I am making the switch to Android after battling for a long time to get iOS to where I was satisfied with their native restriction offerings. If you are set on Apple, an IKEV2 VPN forced into an Always On connection through a configuration profile is your only option.

    June 25, 2020 at 4:39 am

    I am afraid to say this is no small task. Your best option is to use configuration profiles. I suggest setting them up through Apple Configurator 2 on a Mac. Otherwise you would have to tinker around with the XML syntax of the profiles. You will want to set the device as a supervised device to have the most control. That requires wiping the device I believe.

    Once you have a supervised device there are some great restriction settings for app and website whitelists: prevention of installing or removing configuration profiles, prevention of Erase All Content and Settings. You can prevent installation of VPNs.

    Now to your question, unfortunately, the only current way to force DNS settings on WiFi AND Cell is to implement an IKEV2 VPN on the iPhone and force it through the configuration profile. This is called an Always On VPN. These cannot be uninstalled or toggled off in any way. Don’t get them confused with the auto connect VPNs. What is annoying is that no VPN services I found out there had an IKEV2 profile that I could configure on the iPhone. I ended up creating my own and hosting it on Digital Ocean for about $5 a month. Definitely a pain. Especially for anyone not experienced with tech. Now, what is super annoying is that I had issues with WiFi calling and connection to an Apple Watch.

    Long story short, Apple does not provide the kind of customization that is needed to create a properly restricted device. They don’t even allow app developers that customization either. Even pushing Apple’s configuration profiles to the limit, you are still going to run into technical issues and lack of documentation. I am making the switch to Android after battling for a long time to get iOS to where I was satisfied with their native restriction offerings. If you are set on Apple, an IKEV2 VPN forced into an Always On connection through a configuration profile is your only option.

    April 8, 2020 at 6:40 pm

    Hello cleandns,

    I posted this earlier, but it may have not sent. Re-posting to see if it goes through. Below are some notes that I cannot elaborate on at the moment, but it is a good start. I plan on making this a Github repository and maybe build it in JavaScript/Node eventually:

    https://www.rootusers.com/12-dig-command-examples-to-query-dns-in-linux/

    dig -f test.txt +short | grep -c “185.228” && echo “out of” && wc -l < test.txt

    dig -f query.txt @8.8.8.8 +short > results.txt
    dig -f test +short > results.txt
    dig -f test +noall +question +answer > results.txt

    ———————————————

    nslookup -type=txt example.com
    dig example.com
    nslookup http://www.google.com
    dig http://www.google.com |grep SERVER

    Family Filter
    IPv4 address: 185.228.168.168 and 185.228.169.168

    —————-
    https://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists
    http://dsi.ut-capitole.fr/blacklists/index_en.php
    http://www.squidblacklist.org/downloads.html (Paid)
    http://squidguard.mesd.k12.or.us/blacklists.tgz (mixed of bn-paf, our database and some local additions)
    http://www.shallalist.de/ squidguard maintainers,
    https://en.wikipedia.org/wiki/SquidGuard#Blacklist_Sources