Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)Safe browsing using DNS filters - Android issues - DNS over TLS? IPv6?

mdf

mdf

3490 posts

Uber Geek

Trusted

#270596 17-May-2020 16:11
Send private message

I use DNS filters for pr0n and inappropriate content on our home network. I have been re-configuring this and during testing have noticed some issues on modern Android devices. This may be due to Android 9+ implementing DNS over TLS? Perhaps some kind of IPv6 issue? Looking for ideas as to how to diagnose accurately or otherwise solve.

 

Background: Kids have a wifi network on their own VLAN. This VLAN uses a Pi-Hole as its DNS server, with upstream servers set to Cleanbrowsing.org (I have found this most effective at forcing safe google searches but not being over zealous in youtube searches). I have an Edgerouter with a DNAT rule to (I think) intercept anything on port 53 on the kids VLAN and redirect it to the Pi-Hole DNS server. 

 

Current status:

 

  • Using wifi_adults, browsing to to www dot pr0nhub dot com or searching for "pr0nstar" on google produces the expected results ("It's for legitimate testing honey, honestly!").
  • Using wifi_kids from PC or chromebook, browsing to www dot pr0nhub dot com produces (as intended) "site cannot be reached... site's IP address could not be found..." and searching for pr0nstar on google produces news stories and recipes for cocktails. Some less than desirable images, but nothing R18.
  • Also using wifi_kids, "nslookup pr0nhub dot com" and "nslookup pr0nhub dot com 8.8.8.8" both return non-existent domains.

But

 

Using wifi_kids from android mobile (Galaxy Note for testing) produces the same unfiltered results as wifi_adults.

 

I'm not sure what is going on here. I've done some research (and so learnt some new things). Current suspicions are Google introducing DNS over TLS in android 9 and later, or IPv6 (I really have to get around to figuring out how IPv6 works one of these days). I suspect there must be some sort of hard-coded Google DoT or IPv6 name server on the phone that isn't affected the notebooks. 

 

Any ideas on what is going on? And how to remedy?

 

I'm hoping this might be as straightforward as intercepting another port and forcing a redirection either to a safe name server on the Edgerouter, or something easily configurable on the PiHole. I see that things like Unbound, DNScrypt-proxy and Cloudflared are potentially installable either on Edgerouter or Pi-Hole, but the instructions rapidly exceed my comfort zone.

Create new topic
michaelmurfy
meow
13195 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2485249 17-May-2020 16:44
Send private message

The problem will be with IPv6. I note you're posting from an IPv6 address (so guessing you've got this running on all your networks).

 

On your kids network perhaps just disable IPv6 so devices are forced to go via IPv4 only, and get captured by the DNAT rules. The Edgerouter unfortunately isn't great at IPv6 unless if you want to dive deep with the CLI. I personally have IPv6 disabled on my guest network for this very reason (also, I'm lazy!).

 

Unless, if Google are using DNS over HTTPS these days on Android. I don't have a device to test with.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

 
 
 
 

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

mdf

mdf

3490 posts

Uber Geek

Trusted

  #2485252 17-May-2020 16:54
Send private message

Zut. And I spent so long carefully trying to figure out how to get it working across VLANs too!

 

How badly would I break things by leaving IPv6 on for the kid's VLAN, but running this? (kids VLAN is now on eth1.23)

 

 set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.23 no-dns

 

Edit: For clarity, this is on a Voyager UFB connection, so PPPOE, VLAN 10.

michaelmurfy
meow
13195 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2485253 17-May-2020 17:02
Send private message

That is what I do on my main network (and what I have in my guide also). Give it a shot!




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.



mdf

mdf

3490 posts

Uber Geek

Trusted

  #2485267 17-May-2020 17:59
Send private message

Super, thanks for all your help! That seems to have done the trick. Full speed ahead.

 

Interestingly though if you've got the time to give it some thought (all results from the restricted network):

 

 nslookup {pr0nhub dot com}
 
{pihole} can't find {pr0nhub dot com}: Non-existent domain
 
nslookup {pr0nhub dot com} 8.8.8.8
 
dns.google can't find {pr0nhub dot com}: Non-existent domain

 

i.e. the DNAT rule intercepting port 53 looks like it is working. But

 

 nslookup -q=aaaa {pr0nhub dot com}
 
{pihole} can't find {pr0nhub dot com}: Non-existent domain
 
nslookup -q=aaaa {pr0nhub dot com} 2001:4860:4860::8888
 
Name: {pr0nhub dot com}

 

It doesn't seem to find an address, but doesn't throw a problem either - i.e. it isn't obviously being caught by the port 53 redirect rule. I am wondering if on Android at least queries are going out on port 853 (DoT) or 443 (DoH)? https://developers.google.com/speed/public-dns/docs/secure-transports

 

Edit: formatting

fe31nz
1200 posts

Uber Geek


  #2485370 17-May-2020 23:29
Send private message

Does your Pi-Hole do DNS on its IPv6 address?  If so, then just use a DNAT rule on the kid's VLAN to send the IPv6 DNS to the Pi-Hole.  With IPv6, you have to remember that everything you do on your IPv4 rules needs to be repeated in the IPv6 rules.

ShinyChrome
1564 posts

Uber Geek

ID Verified
Trusted

  #2485386 18-May-2020 07:32
Send private message

mdf:

 

Zut. And I spent so long carefully trying to figure out how to get it working across VLANs too!

 

How badly would I break things by leaving IPv6 on for the kid's VLAN, but running this? (kids VLAN is now on eth1.23)

 

set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.23 no-dns

 

Edit: For clarity, this is on a Voyager UFB connection, so PPPOE, VLAN 10.

 

 

I had to do exactly this for two Android 10 based phones that would ignore the EdgeRouter published DNS (the pi-hole) and use the IPv6 DNS addresses pushed by the ISP through the PPPoE connection. Once I had done that, all DNS queries were routed through the correct rules to redirect all traffic to the Pi-hole. Took me a good day to figure out how the phones were finding a way around it. I have also tried to mirror all my IPv4 DNS rules in IPv6 as well.

 

I also have a rule to drop all port 853 traffic, under the impression that anything attempting DoT will fallback to regular port 53 if unsuccessful (or if it doesn't, nothing on my closed network should be using it anyway). Unfortunately, not much can be done about DoH at the application level, apart from ensuring it stays switched off.

Create new topic





News and reviews »

Logitech Introduces New G522 Gaming Headset
Posted 21-May-2025 19:01

LG Announces New Ultragear OLED Range for 2025
Posted 20-May-2025 16:35

Sandisk Raises the Bar With WD_BLACK SN8100 NVME SSD
Posted 20-May-2025 16:29

Sony Introduces the Next Evolution of Noise Cancelling with the WH-1000XM6
Posted 20-May-2025 16:22

Samsung Reveals Its 2025 Line-up of Home Appliances and AV Solutions
Posted 20-May-2025 16:11

Hisense NZ Unveils Local 2025 ULED Range
Posted 20-May-2025 16:00

Synology Launches BeeStation Plus
Posted 20-May-2025 15:55

New Suunto Run Available in Australia and New Zealand
Posted 13-May-2025 21:00

Cricut Maker 4 Review
Posted 12-May-2025 15:18

Dynabook Launches Ultra-Light Portégé Z40L-N Copilot+PC with Self-Replaceable Battery
Posted 8-May-2025 14:08

Shopify Sidekick Gets a Major Reasoning Upgrade, Plus Free Image Generation
Posted 8-May-2025 14:03

Microsoft Introduces New Surface Copilot+ PCs
Posted 8-May-2025 13:56

D-Link A/NZ launches DWR-933M 4G+ LTE Cat6 Wi-Fi 6 Mobile Hotspot
Posted 8-May-2025 13:49

Synology Expands DiskStation Lineup with DS1825+ and DS1525+
Posted 8-May-2025 13:44

JBL Releases Next Generation Flip 7 and Charge 6
Posted 8-May-2025 13:41








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







GoodSync is the easiest file sync and backup for Windows and Mac



RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
Hatch
GoodSync
Backblaze backup
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright