Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsNew Zealand BroadbandDevice blocking on 7590
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 

mdf

mdf
3321 posts

Uber Geek

Trusted

  #3076747 16-May-2023 11:07
Send private message

I've given up on router-level controls and moved to on-device controls. Tried a few different router/network things and there were always issues to navigate. Particularly the cunning little sods figuring out how to download stuff for later and which apps/games worked offline - we wanted to limit screen time, not just internet time. And ultimately any router-level solution will have an end date to if/when mobile data is switched on.

 

We've only got Windows and Android devices (no apple). Our current parental control app is Qustodio. Which certainly is far from perfect, but mostly does what we need it to. And is simple to control and add exceptions etc. so easy for both parents to control as required, not just the geek-in-residence.

 
 
 
 

Free kids accounts - trade shares and funds (NZ, US) with Sharesies (affiliate link).
fe31nz
1085 posts

Uber Geek


  #3076961 17-May-2023 01:01
Send private message

Wombat1:

 

DNS over https (DoH) is becoming a big thing and making it impossible to read and manipulate the DNS requests. Chrome is already supporting DoH and one has to wonder how long it will be before each app on your phone does the same thing. 

 

 

If you run your own DNS server, and block all DNS requests except when they come from your DNS server, then you can still control everything.  And it is possible to use an HTTPS proxy server with your own certificate to allow you to see the encrypted traffic.  Devices that do not have your certificate installed will not work at all if you enforce the HTTPS proxy use in your router.  But you do need a good router to do that.

michaelmurfy
cat
12247 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3076962 17-May-2023 01:11
Send private message

Wombat1:

 

Pihole is also useful to do this. Though one has to wonder for how longs its still going to be workable. DNS over https (DoH) is becoming a big thing and making it impossible to read and manipulate the DNS requests. Chrome is already supporting DoH and one has to wonder how long it will be before each app on your phone does the same thing.

 

There are some controls to help mitigate this in both NextDNS (via Block Bypass Methods which also hinders other DoH providers) along with router level blocking where you block outbound port 53/5353 and either whitelist NextDNS's DNS servers or have a local DNS server talking DoH to NextDNS (or another similar provider).

 

I run PiHole here, but honestly use NextDNS and have largely gone away from PiHole's features. The only thing my PiHole servers do is talk local DNS (for resolving local things) and talk DoH to NextDNS and filter some cruft through by using a light block list.

 

Nothing you do is ever going to be perfect. Device configuration profiles like what Apple do are great for locking down a device. I am not too familiar with what Android do these days as it has been literal years since I've last used an Android device but there must be similar with that. If you have a device profile then that follows you around to any internet connection.




Michael Murphy | https://murfy.nz
Referral Links: Tessie | Tesla | Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.



allio
864 posts

Ultimate Geek


  #3077077 17-May-2023 10:22
Send private message

Surely the best approach is to have two SSIDs - one unrestricted with a password the kids don't know, and a kids' one which turns off overnight. Doesn't matter what MAC address her phone presents with then.

xor

xor
69 posts

Master Geek


  #3077232 17-May-2023 16:23
Send private message

michaelmurfy:

 

There are some controls to help mitigate this in both NextDNS (via Block Bypass Methods which also hinders other DoH providers) along with router level blocking where you block outbound port 53/5353 and either whitelist NextDNS's DNS servers or have a local DNS server talking DoH to NextDNS (or another similar provider).

 

 

You would need to block 443 to stop DNS over HTTPS not 53.

 

 

fe31nz:

 

If you run your own DNS server, and block all DNS requests except when they come from your DNS server, then you can still control everything.  And it is possible to use an HTTPS proxy server with your own certificate to allow you to see the encrypted traffic.  Devices that do not have your certificate installed will not work at all if you enforce the HTTPS proxy use in your router.  But you do need a good router to do that.

 

 

You also need a way to force the device to use the DNS server and a way to block TLS 1.3

Wombat1
400 posts

Ultimate Geek


#3077247 17-May-2023 17:47
Send private message

xor: You would need to block 443 to stop DNS over HTTPS not 53.

 

And good luck with that. 

toejam316
1298 posts

Uber Geek

Trusted
Lifetime subscriber

  #3077263 17-May-2023 19:37
Send private message

Have you considered using the native Apple Parental controls?




Anything I say is the ramblings of an ill informed, opinionated so-and-so, and not representative of any of my past, present or future employers, and is also probably best disregarded.



fe31nz
1085 posts

Uber Geek


  #3077303 18-May-2023 01:10
Send private message

Wombat1:

 

xor: You would need to block 443 to stop DNS over HTTPS not 53.

 

And good luck with that. 

 

 

Which is why I suggested forcing use of a proxy on HTTPS - all 443 traffic except from the proxy gets blocked by the router.  Connecting to the proxy requires installation and use of your certificate, allowing the proxy to decrypt the traffic.  I think Privoxy is now able to do this:

 

https://www.privoxy.org

 

but I have not tried it myself.

xpd

xpd

aka Fast Raccoon !
13022 posts

Uber Geek

Retired Mod
ID Verified
Trusted
Lifetime subscriber

  #3079519 25-May-2023 08:10
Send private message

allio:

 

Surely the best approach is to have two SSIDs - one unrestricted with a password the kids don't know, and a kids' one which turns off overnight. Doesn't matter what MAC address her phone presents with then.

 

 

Yeah but I don't use the wifi on the Fritz, have Unifi's for wifi....... 

 

Been that long I couldn't find the setup for scheduling in the Unifi app, but got it now :) Dumping them on their own SSID thats dead overnight.

 

Ta

 

 




       Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

 

                      LinkTree -   kiwiblast.co.nz - Lego and more

 

       Support Kiwi music!   The People   Black Smoke Trigger   Like A Storm   Devilskin

 

                                            NZ GEEKS Discord______________________________

 

 

1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

New Air Traffic Management Platform and Resilient Buildings a Milestone for Airways
Posted 6-Dec-2023 05:00

Logitech G Launches New Flagship Console Wireless Gaming Headset Astro A50 X
Posted 5-Dec-2023 21:00

NordVPN Helps Users Protect Themselves From Vulnerable Apps
Posted 5-Dec-2023 14:27

First-of-its-Kind Flight Trials Integrate Uncrewed Aircraft Into Controlled Airspace
Posted 5-Dec-2023 13:59

Prodigi Technology Services Announces Strategic Acquisition of Conex
Posted 4-Dec-2023 09:33

Samsung Announces Galaxy AI
Posted 28-Nov-2023 14:48

Epson Launches EH-LS650 Ultra Short Throw Smart Streaming Laser Projector
Posted 28-Nov-2023 14:38

Fitbit Charge 6 Review 
Posted 27-Nov-2023 16:21

Cisco Launches New Research Highlighting Gap in Preparedness for AI
Posted 23-Nov-2023 15:50

Seagate Takes Block Storage System to New Heights Reaching 2.5 PB
Posted 23-Nov-2023 15:45

Seagate Nytro 4350 NVMe SSD Delivers Consistent Application Performance and High QoS to Data Centers
Posted 23-Nov-2023 15:38

Amazon Fire TV Stick 4k Max (2nd Generation) Review
Posted 14-Nov-2023 16:17

Over half of New Zealand adults surveyed concerned about AI shopping scams
Posted 3-Nov-2023 10:42

Super Mario Bros. Wonder Launches on Nintendo Switch
Posted 24-Oct-2023 10:56

Google Releases Nest WiFi Pro in New Zealand
Posted 24-Oct-2023 10:18








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







Norton for Gamers






RSS feeds
Main feed
Forums feed
Copyright
©2002-2023 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Affiliate links
Mighty Ape
Sharesies
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.