I use DNS filters for pr0n and inappropriate content on our home network. I have been re-configuring this and during testing have noticed some issues on modern Android devices. This may be due to Android 9+ implementing DNS over TLS? Perhaps some kind of IPv6 issue? Looking for ideas as to how to diagnose accurately or otherwise solve.
Background: Kids have a wifi network on their own VLAN. This VLAN uses a Pi-Hole as its DNS server, with upstream servers set to Cleanbrowsing.org (I have found this most effective at forcing safe google searches but not being over zealous in youtube searches). I have an Edgerouter with a DNAT rule to (I think) intercept anything on port 53 on the kids VLAN and redirect it to the Pi-Hole DNS server.
- Using wifi_adults, browsing to to www dot pr0nhub dot com or searching for "pr0nstar" on google produces the expected results ("It's for legitimate testing honey, honestly!").
- Using wifi_kids from PC or chromebook, browsing to www dot pr0nhub dot com produces (as intended) "site cannot be reached... site's IP address could not be found..." and searching for pr0nstar on google produces news stories and recipes for cocktails. Some less than desirable images, but nothing R18.
- Also using wifi_kids, "nslookup pr0nhub dot com" and "nslookup pr0nhub dot com 18.104.22.168" both return non-existent domains.
Using wifi_kids from android mobile (Galaxy Note for testing) produces the same unfiltered results as wifi_adults.
I'm not sure what is going on here. I've done some research (and so learnt some new things). Current suspicions are Google introducing DNS over TLS in android 9 and later, or IPv6 (I really have to get around to figuring out how IPv6 works one of these days). I suspect there must be some sort of hard-coded Google DoT or IPv6 name server on the phone that isn't affected the notebooks.
Any ideas on what is going on? And how to remedy?
I'm hoping this might be as straightforward as intercepting another port and forcing a redirection either to a safe name server on the Edgerouter, or something easily configurable on the PiHole. I see that things like Unbound, DNScrypt-proxy and Cloudflared are potentially installable either on Edgerouter or Pi-Hole, but the instructions rapidly exceed my comfort zone.