Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


mdf



2563 posts

Uber Geek

Trusted
Subscriber

#270596 17-May-2020 16:11
Send private message quote this post

I use DNS filters for pr0n and inappropriate content on our home network. I have been re-configuring this and during testing have noticed some issues on modern Android devices. This may be due to Android 9+ implementing DNS over TLS? Perhaps some kind of IPv6 issue? Looking for ideas as to how to diagnose accurately or otherwise solve.

 

Background: Kids have a wifi network on their own VLAN. This VLAN uses a Pi-Hole as its DNS server, with upstream servers set to Cleanbrowsing.org (I have found this most effective at forcing safe google searches but not being over zealous in youtube searches). I have an Edgerouter with a DNAT rule to (I think) intercept anything on port 53 on the kids VLAN and redirect it to the Pi-Hole DNS server. 

 

Current status:

 

  • Using wifi_adults, browsing to to www dot pr0nhub dot com or searching for "pr0nstar" on google produces the expected results ("It's for legitimate testing honey, honestly!").
  • Using wifi_kids from PC or chromebook, browsing to www dot pr0nhub dot com produces (as intended) "site cannot be reached... site's IP address could not be found..." and searching for pr0nstar on google produces news stories and recipes for cocktails. Some less than desirable images, but nothing R18.
  • Also using wifi_kids, "nslookup pr0nhub dot com" and "nslookup pr0nhub dot com 8.8.8.8" both return non-existent domains.

But

 

Using wifi_kids from android mobile (Galaxy Note for testing) produces the same unfiltered results as wifi_adults.

 

I'm not sure what is going on here. I've done some research (and so learnt some new things). Current suspicions are Google introducing DNS over TLS in android 9 and later, or IPv6 (I really have to get around to figuring out how IPv6 works one of these days). I suspect there must be some sort of hard-coded Google DoT or IPv6 name server on the phone that isn't affected the notebooks. 

 

Any ideas on what is going on? And how to remedy?

 

I'm hoping this might be as straightforward as intercepting another port and forcing a redirection either to a safe name server on the Edgerouter, or something easily configurable on the PiHole. I see that things like Unbound, DNScrypt-proxy and Cloudflared are potentially installable either on Edgerouter or Pi-Hole, but the instructions rapidly exceed my comfort zone.


Create new topic
/dev/null
9341 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #2485249 17-May-2020 16:44
Send private message quote this post

The problem will be with IPv6. I note you're posting from an IPv6 address (so guessing you've got this running on all your networks).

 

On your kids network perhaps just disable IPv6 so devices are forced to go via IPv4 only, and get captured by the DNAT rules. The Edgerouter unfortunately isn't great at IPv6 unless if you want to dive deep with the CLI. I personally have IPv6 disabled on my guest network for this very reason (also, I'm lazy!).

 

Unless, if Google are using DNS over HTTPS these days on Android. I don't have a device to test with.





mdf



2563 posts

Uber Geek

Trusted
Subscriber

  #2485252 17-May-2020 16:54
Send private message quote this post

Zut. And I spent so long carefully trying to figure out how to get it working across VLANs too!

 

How badly would I break things by leaving IPv6 on for the kid's VLAN, but running this? (kids VLAN is now on eth1.23)

 

 set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.23 no-dns 

 

Edit: For clarity, this is on a Voyager UFB connection, so PPPOE, VLAN 10.


 
 
 
 


/dev/null
9341 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #2485253 17-May-2020 17:02
Send private message quote this post

That is what I do on my main network (and what I have in my guide also). Give it a shot!





mdf



2563 posts

Uber Geek

Trusted
Subscriber

  #2485267 17-May-2020 17:59
Send private message quote this post

Super, thanks for all your help! That seems to have done the trick. Full speed ahead.

 

Interestingly though if you've got the time to give it some thought (all results from the restricted network):

 

 nslookup {pr0nhub dot com}

 

{pihole} can't find {pr0nhub dot com}: Non-existent domain

 

nslookup {pr0nhub dot com} 8.8.8.8

 

dns.google can't find {pr0nhub dot com}: Non-existent domain

 

i.e. the DNAT rule intercepting port 53 looks like it is working. But

 

 nslookup -q=aaaa {pr0nhub dot com}

 

{pihole} can't find {pr0nhub dot com}: Non-existent domain

 

nslookup -q=aaaa {pr0nhub dot com} 2001:4860:4860::8888

 

Name: {pr0nhub dot com}

 

It doesn't seem to find an address, but doesn't throw a problem either - i.e. it isn't obviously being caught by the port 53 redirect rule. I am wondering if on Android at least queries are going out on port 853 (DoT) or 443 (DoH)? https://developers.google.com/speed/public-dns/docs/secure-transports

 

Edit: formatting


544 posts

Ultimate Geek


  #2485370 17-May-2020 23:29
Send private message quote this post

Does your Pi-Hole do DNS on its IPv6 address?  If so, then just use a DNAT rule on the kid's VLAN to send the IPv6 DNS to the Pi-Hole.  With IPv6, you have to remember that everything you do on your IPv4 rules needs to be repeated in the IPv6 rules.


816 posts

Ultimate Geek

Trusted
Subscriber

  #2485386 18-May-2020 07:32
Send private message quote this post

mdf:

 

Zut. And I spent so long carefully trying to figure out how to get it working across VLANs too!

 

How badly would I break things by leaving IPv6 on for the kid's VLAN, but running this? (kids VLAN is now on eth1.23)

 

set interfaces ethernet eth0 vif 10 pppoe 0 dhcpv6-pd pd 0 interface eth1.23 no-dns

 

Edit: For clarity, this is on a Voyager UFB connection, so PPPOE, VLAN 10.

 

 

I had to do exactly this for two Android 10 based phones that would ignore the EdgeRouter published DNS (the pi-hole) and use the IPv6 DNS addresses pushed by the ISP through the PPPoE connection. Once I had done that, all DNS queries were routed through the correct rules to redirect all traffic to the Pi-hole. Took me a good day to figure out how the phones were finding a way around it. I have also tried to mirror all my IPv4 DNS rules in IPv6 as well.

 

I also have a rule to drop all port 853 traffic, under the impression that anything attempting DoT will fallback to regular port 53 if unsuccessful (or if it doesn't, nothing on my closed network should be using it anyway). Unfortunately, not much can be done about DoH at the application level, apart from ensuring it stays switched off.


Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

OPPO Find X2 Lite brings flagship features to mid-range 5G smartphone
Posted 29-May-2020 12:52


Sony introduces the digital camera ZV-1 for content creators
Posted 27-May-2020 12:47


Samsung Announces 2020 QLED TV Range
Posted 20-May-2020 16:29


D-Link A/NZ launches AI-Powered body temperature measuring system
Posted 20-May-2020 16:22


NortonLifeLock Online Banking Protection now available for New Zealand banks
Posted 20-May-2020 16:14


SD Express delivers new gigabyte speeds for SD memory cards
Posted 20-May-2020 15:00


D-Link A/NZ launches Nuclias cloud managed network solution hosted in Australia
Posted 11-May-2020 17:53


Logitech introduces new video streaming solution for home studios
Posted 11-May-2020 17:48


Next generation Volvo cars to be powered by Luminar LiDAR technology
Posted 7-May-2020 13:56


D-Link A/NZ launches Wi-Fi Certified EasyMesh system
Posted 7-May-2020 13:51


Spark teams up with Microsoft to bring Xbox All Access to New Zealand
Posted 7-May-2020 13:01


Microsoft plans to establish its first datacenter region in New Zealand
Posted 6-May-2020 11:35


Genesis School-gen has joined forces with Mind Lab Kids
Posted 1-May-2020 12:53


Malwarebytes expands into privacy with fast, frictionless VPN
Posted 30-Apr-2020 16:06


Kordia to donate TV airtime on Channel 200 to community groups
Posted 30-Apr-2020 16:00



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.