porn filters not working

Comments

7 comments

  • Avatar
    rotblitz (Edited )

    You need to disable lite mode or secure DNS in Chrome to make your OpenDNS settings work.

    And re forum login, you must re-login again here until the top right corner indicates that you are logged in.

    0
    Comment actions Permalink
  • Avatar
    mupi

    If you block the "proxy/anonymizer" category, and OpenDNS is set up in your router, this will block most of the secure  DNS options. (though It seems not to block  google's...)

     

    Some routers allow you to set up more advanced firewall rules.  If possible, block port 53 and 853, except for traffic headed to OpenDNS.  Seems you can *currently* block all port 853, since OpenDNS apparently won't do DNS over TLS anyway.

     

    It's not perfect, but it's pretty good.  It's virtually impossible to block DoH traffic, but before it can become DoH, it has to be able to look up the domain of the DoH provider, so it *mostly* works.

    0
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    mupi

    In what way does your contribution help with the topic "porn filters not working" of this thread?

    Again, the OP needs to disable lite mode or secure DNS in Chrome to make it work.

    0
    Comment actions Permalink
  • Avatar
    mupi (Edited )

    rotblitz,

     

    considering that https://support.opendns.com/hc/en-us/articles/360038086532-Using-DNS-over-HTTPS-DoH-with-OpenDNS seems to indicate that *ENABLING* secure DNS in Chrome is an "experimental" feature, this would seem like something the OP would know they had done.

    Furthermore, even with secure DNS enabled in Chrome, if Chrome is set to use Cloudflare's 1.1.1.1 service (as an example), OpenDNS's "proxy/anonoymizer" category *WILL* block it, even if the setting is enabled in Chrome, it won't matter, because 1dot1dot1dot1.couldflare-dns.com is blocked.

    Your answer does answer the OP's question because the question text specifically mentions "Chrome", however, the question *title* does not, and users of other browsers may come here for an answer as well.  My answer will help THOSE users as well as the OP.

    There used to be a help article that suggested using the proxy/anonymizer cateogry block would block DOH requests I can't seem to find it now, but I didn't come up with that idea on my own; https://support.opendns.com/hc/en-us/community/posts/360072731351-Origin-of-Proxy-Anonymizer-showing-up-in-my-blocked-logs- suggests that it was a known thing months ago, that the proxy/anonymizer category was blocking DOH requests; dns.google *IS* thieir DOH endpoint.  cloudflare-dns *IS* (one of) their DOH endpoint(s).

    I have proxy/anonymizer blocked in my OpenDNS settings, and gues what? *every domain listed in that thread* is blocked:

     mupi  ~  dig playboy.com +short
    146.112.61.106
     mupi  ~  dig dns.google +short
    146.112.61.106
     mupi  ~  dig dns.quad9.net +short
    146.112.61.106
     mupi  ~  dig doh.dns.sb +short
    146.112.61.106
     mupi  ~  dig cloudflare-dns.com +short
    146.112.61.106

    (first one is there to prove it's the OpenDNS block page)

     

    Thus I assert that, if the OP sets to block proxy/anonymizer, it will prevent Google's (or anyone else's) DOH from working (provided, of course, that OpenDNS has recognized that they are a DOH provider).  This will *also* work, even if he has a VPN plugin in  Chrome (again subject to the caveat that OpenDNS knows about the VPN provider in use)  If he further blocks port 853 on his router, he will prevent DoT from working (AKA Android's "Private DNS" setting) (which come to think of it, if the OP was using Chrome on an android device, with private DNS set, then your answer would be worthless; even blocking port 53 wouldn't help, because unless he is blocking the proxy/anonymizer category, his "Private DNS" will work)

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    “if Chrome is set to use Cloudflare's 1.1.1.1 service (as an example), OpenDNS's "proxy/anonoymizer" category *WILL* block it, even if the setting is enabled in Chrome, it won't matter, because 1dot1dot1dot1.couldflare-dns.com is blocked.”

    I doubt this because the DNS queries go to CloudFlair then, no longer to OpenDNS which settings have no effect and no way to block anything in this case.

    0
    Comment actions Permalink
  • Avatar
    mupi

    How does your browser know the IP address for "1dot1dot1dot1.cloudflare-dns.com"?

    (Answer: it does a DNS lookup, as it does with any other domain...

     mupi  ~  dig 1dot1dot1dot1.cloudflare-dns.com @208.67.222.222 +short
    146.112.61.106

    I've already shown that 146.112.61.106 is the IP of the block page)

    I've re-read the Chrome instructions at https://support.opendns.com/hc/en-us/articles/360038086532-Using-DNS-over-HTTPS-DoH-with-OpenDNS   They say "set your OS to use OpenDNS, and then enable Secure DNS in the chrome settings"   This suggests that Chrome is going to use your OS's DNS.  Just turning off secure DNS, then, isn't going to change the results *at all* because they are still going to be using the same resolver.  Or are you suggesting that using DoH with OpenDNS means your network's blocking rules no longer apply?  After looking into this a bit more, I think perhaps that particular article needs to be updated to reflect the current version of Chrome.  However, if Chrome uses canary domains, as Firefox does, then it may still disable DoH based on blocking those canary domains; if that's the case, then setting the proxy block *is* a worthwhile and helpful suggestion.  Even if Chrome doesn't use canary domains as Firefox does, it's a good and worthwhile suggestion because Firefox *does* use those domains. (I don't have the time nor the inclination to do a tcpdump to see if chrome is using canary domains this way, or if they are using FQDNs "behind the scenes" of the "secureDNS" setting, though it would be trivial enough to actually do. Perhaps an enterprising OpenDNS employee will want to do that...)

    Android's "Private DNS" setting (at least as of Android 9) *does not allow* you to specify an IP address, you must specify an FQDN to use the service, which means that the user must perform at least one DNS lookup to get the IP to send the request to.

    I haven't tried with Firefox, but every example I can find says "use the FQDN for DOH"

    In fact, compare the IP address of "doh.opendns.com" to the normal IP addresses for OpenDNS.

    I suspect that most providers use different hosts for DoH than normal DNS because HTTPS has a ton of overhead involved in setting up and tearing down connections -- something vanilla DNS does not suffer -- so it probably benefits from load balancing and all the other things that high-traffic websites have to do.

    *if you set your DoH to an IP address, then you are correct, the DNS requests will go to that IP address*, however, pretty much everywhere on the internet tells you "don't use the IP address for DOH".  At that point, the only option is to enforce an egress rule in your network firewall to force all HTTP(S) traffic to use a proxy, and accept that you will have to manually add your proxy's cert to every browser in use in your organization or home (this *is* doable, in fact Cisco Umbrella has a product to do this). 

    *If you use an FQDN for your DoH setup (as every resource on the internet recommends)*, then OpenDNS's proxy block will be effective.

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Thanks for explaining. Agreed. You could add doh.opendns.com and other DoH domains to your whitelist.

    0
    Comment actions Permalink

Please sign in to leave a comment.