Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsNew Zealand BroadbandDevice blocking on 7590
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 

mdf

mdf
3566 posts

Uber Geek
+1 received by user: 1519

Trusted

  #3076747 16-May-2023 11:07
Send private message

I've given up on router-level controls and moved to on-device controls. Tried a few different router/network things and there were always issues to navigate. Particularly the cunning little sods figuring out how to download stuff for later and which apps/games worked offline - we wanted to limit screen time, not just internet time. And ultimately any router-level solution will have an end date to if/when mobile data is switched on.

 

We've only got Windows and Android devices (no apple). Our current parental control app is Qustodio. Which certainly is far from perfect, but mostly does what we need it to. And is simple to control and add exceptions etc. so easy for both parents to control as required, not just the geek-in-residence.



fe31nz
1294 posts

Uber Geek
+1 received by user: 423


  #3076961 17-May-2023 01:01
Send private message

Wombat1:

 

DNS over https (DoH) is becoming a big thing and making it impossible to read and manipulate the DNS requests. Chrome is already supporting DoH and one has to wonder how long it will be before each app on your phone does the same thing. 

 

 

If you run your own DNS server, and block all DNS requests except when they come from your DNS server, then you can still control everything.  And it is possible to use an HTTPS proxy server with your own certificate to allow you to see the encrypted traffic.  Devices that do not have your certificate installed will not work at all if you enforce the HTTPS proxy use in your router.  But you do need a good router to do that.

michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3076962 17-May-2023 01:11
Send private message

Wombat1:

 

Pihole is also useful to do this. Though one has to wonder for how longs its still going to be workable. DNS over https (DoH) is becoming a big thing and making it impossible to read and manipulate the DNS requests. Chrome is already supporting DoH and one has to wonder how long it will be before each app on your phone does the same thing.

 

There are some controls to help mitigate this in both NextDNS (via Block Bypass Methods which also hinders other DoH providers) along with router level blocking where you block outbound port 53/5353 and either whitelist NextDNS's DNS servers or have a local DNS server talking DoH to NextDNS (or another similar provider).

 

I run PiHole here, but honestly use NextDNS and have largely gone away from PiHole's features. The only thing my PiHole servers do is talk local DNS (for resolving local things) and talk DoH to NextDNS and filter some cruft through by using a light block list.

 

Nothing you do is ever going to be perfect. Device configuration profiles like what Apple do are great for locking down a device. I am not too familiar with what Android do these days as it has been literal years since I've last used an Android device but there must be similar with that. If you have a device profile then that follows you around to any internet connection.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.



allio
895 posts

Ultimate Geek
+1 received by user: 529


  #3077077 17-May-2023 10:22
Send private message

Surely the best approach is to have two SSIDs - one unrestricted with a password the kids don't know, and a kids' one which turns off overnight. Doesn't matter what MAC address her phone presents with then.

xor

xor
75 posts

Master Geek
+1 received by user: 12


  #3077232 17-May-2023 16:23
Send private message

michaelmurfy:

 

There are some controls to help mitigate this in both NextDNS (via Block Bypass Methods which also hinders other DoH providers) along with router level blocking where you block outbound port 53/5353 and either whitelist NextDNS's DNS servers or have a local DNS server talking DoH to NextDNS (or another similar provider).

 

 

You would need to block 443 to stop DNS over HTTPS not 53.

 

 

fe31nz:

 

If you run your own DNS server, and block all DNS requests except when they come from your DNS server, then you can still control everything.  And it is possible to use an HTTPS proxy server with your own certificate to allow you to see the encrypted traffic.  Devices that do not have your certificate installed will not work at all if you enforce the HTTPS proxy use in your router.  But you do need a good router to do that.

 

 

You also need a way to force the device to use the DNS server and a way to block TLS 1.3

Wombat1
586 posts

Ultimate Geek
+1 received by user: 409
Inactive user


#3077247 17-May-2023 17:47
Send private message

xor: You would need to block 443 to stop DNS over HTTPS not 53.

 

And good luck with that. 

 
 
 
 

Support Geekzone with one-off or recurring donations Donate via PressPatron.
toejam316
1516 posts

Uber Geek
+1 received by user: 888

Trusted
Lifetime subscriber

  #3077263 17-May-2023 19:37
Send private message

Have you considered using the native Apple Parental controls?




Join Quic Broadband with my referral - no sign up fee and gives me account credit

 

Anything I say is the ramblings of an ill informed, opinionated so-and-so, and not representative of any of my past, present or future employers, and is also probably best disregarded.

fe31nz
1294 posts

Uber Geek
+1 received by user: 423


  #3077303 18-May-2023 01:10
Send private message

Wombat1:

 

xor: You would need to block 443 to stop DNS over HTTPS not 53.

 

And good luck with that. 

 

 

Which is why I suggested forcing use of a proxy on HTTPS - all 443 traffic except from the proxy gets blocked by the router.  Connecting to the proxy requires installation and use of your certificate, allowing the proxy to decrypt the traffic.  I think Privoxy is now able to do this:

 

https://www.privoxy.org

 

but I have not tried it myself.

xpd

xpd

Geek of Coastguard
14115 posts

Uber Geek
+1 received by user: 4574

Retired Mod
ID Verified
Trusted
Lifetime subscriber

  #3079519 25-May-2023 08:10
Send private message

allio:

 

Surely the best approach is to have two SSIDs - one unrestricted with a password the kids don't know, and a kids' one which turns off overnight. Doesn't matter what MAC address her phone presents with then.

 

 

Yeah but I don't use the wifi on the Fritz, have Unifi's for wifi....... 

 

Been that long I couldn't find the setup for scheduling in the Unifi app, but got it now :) Dumping them on their own SSID thats dead overnight.

 

Ta

 

 




XPD / Gavin

 

LinkTree

 

 

 

1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright