porn filters not working
I tried to post to existing post on this subject, wasn't able to, something to do i guess with permissions and new cisco login. Anyways, i have opendns ip address set correctly and opendns says pornhub.com is blocked, however, I can access the site via Chrome and site is not whitelisted in chrome and I'm not in incognito, any suggestions?
-
If you block the "proxy/anonymizer" category, and OpenDNS is set up in your router, this will block most of the secure DNS options. (though It seems not to block google's...)
Some routers allow you to set up more advanced firewall rules. If possible, block port 53 and 853, except for traffic headed to OpenDNS. Seems you can *currently* block all port 853, since OpenDNS apparently won't do DNS over TLS anyway.
It's not perfect, but it's pretty good. It's virtually impossible to block DoH traffic, but before it can become DoH, it has to be able to look up the domain of the DoH provider, so it *mostly* works.
-
rotblitz,
considering that https://support.opendns.com/hc/en-us/articles/360038086532-Using-DNS-over-HTTPS-DoH-with-OpenDNS seems to indicate that *ENABLING* secure DNS in Chrome is an "experimental" feature, this would seem like something the OP would know they had done.
Furthermore, even with secure DNS enabled in Chrome, if Chrome is set to use Cloudflare's 1.1.1.1 service (as an example), OpenDNS's "proxy/anonoymizer" category *WILL* block it, even if the setting is enabled in Chrome, it won't matter, because 1dot1dot1dot1.couldflare-dns.com is blocked.
Your answer does answer the OP's question because the question text specifically mentions "Chrome", however, the question *title* does not, and users of other browsers may come here for an answer as well. My answer will help THOSE users as well as the OP.
There used to be a help article that suggested using the proxy/anonymizer cateogry block would block DOH requests I can't seem to find it now, but I didn't come up with that idea on my own; https://support.opendns.com/hc/en-us/community/posts/360072731351-Origin-of-Proxy-Anonymizer-showing-up-in-my-blocked-logs- suggests that it was a known thing months ago, that the proxy/anonymizer category was blocking DOH requests; dns.google *IS* thieir DOH endpoint. cloudflare-dns *IS* (one of) their DOH endpoint(s).
I have proxy/anonymizer blocked in my OpenDNS settings, and gues what? *every domain listed in that thread* is blocked:
mupi ~ dig playboy.com +short
146.112.61.106
mupi ~ dig dns.google +short
146.112.61.106
mupi ~ dig dns.quad9.net +short
146.112.61.106
mupi ~ dig doh.dns.sb +short
146.112.61.106
mupi ~ dig cloudflare-dns.com +short
146.112.61.106(first one is there to prove it's the OpenDNS block page)
Thus I assert that, if the OP sets to block proxy/anonymizer, it will prevent Google's (or anyone else's) DOH from working (provided, of course, that OpenDNS has recognized that they are a DOH provider). This will *also* work, even if he has a VPN plugin in Chrome (again subject to the caveat that OpenDNS knows about the VPN provider in use) If he further blocks port 853 on his router, he will prevent DoT from working (AKA Android's "Private DNS" setting) (which come to think of it, if the OP was using Chrome on an android device, with private DNS set, then your answer would be worthless; even blocking port 53 wouldn't help, because unless he is blocking the proxy/anonymizer category, his "Private DNS" will work)
-
“if Chrome is set to use Cloudflare's 1.1.1.1 service (as an example), OpenDNS's "proxy/anonoymizer" category *WILL* block it, even if the setting is enabled in Chrome, it won't matter, because 1dot1dot1dot1.couldflare-dns.com is blocked.”
I doubt this because the DNS queries go to CloudFlair then, no longer to OpenDNS which settings have no effect and no way to block anything in this case.
-
How does your browser know the IP address for "1dot1dot1dot1.cloudflare-dns.com"?
(Answer: it does a DNS lookup, as it does with any other domain...
mupi ~ dig 1dot1dot1dot1.cloudflare-dns.com @208.67.222.222 +short
146.112.61.106I've already shown that 146.112.61.106 is the IP of the block page)
I've re-read the Chrome instructions at https://support.opendns.com/hc/en-us/articles/360038086532-Using-DNS-over-HTTPS-DoH-with-OpenDNS They say "set your OS to use OpenDNS, and then enable Secure DNS in the chrome settings" This suggests that Chrome is going to use your OS's DNS. Just turning off secure DNS, then, isn't going to change the results *at all* because they are still going to be using the same resolver. Or are you suggesting that using DoH with OpenDNS means your network's blocking rules no longer apply? After looking into this a bit more, I think perhaps that particular article needs to be updated to reflect the current version of Chrome. However, if Chrome uses canary domains, as Firefox does, then it may still disable DoH based on blocking those canary domains; if that's the case, then setting the proxy block *is* a worthwhile and helpful suggestion. Even if Chrome doesn't use canary domains as Firefox does, it's a good and worthwhile suggestion because Firefox *does* use those domains. (I don't have the time nor the inclination to do a tcpdump to see if chrome is using canary domains this way, or if they are using FQDNs "behind the scenes" of the "secureDNS" setting, though it would be trivial enough to actually do. Perhaps an enterprising OpenDNS employee will want to do that...)
Android's "Private DNS" setting (at least as of Android 9) *does not allow* you to specify an IP address, you must specify an FQDN to use the service, which means that the user must perform at least one DNS lookup to get the IP to send the request to.
I haven't tried with Firefox, but every example I can find says "use the FQDN for DOH"
In fact, compare the IP address of "doh.opendns.com" to the normal IP addresses for OpenDNS.
I suspect that most providers use different hosts for DoH than normal DNS because HTTPS has a ton of overhead involved in setting up and tearing down connections -- something vanilla DNS does not suffer -- so it probably benefits from load balancing and all the other things that high-traffic websites have to do.
*if you set your DoH to an IP address, then you are correct, the DNS requests will go to that IP address*, however, pretty much everywhere on the internet tells you "don't use the IP address for DOH". At that point, the only option is to enforce an egress rule in your network firewall to force all HTTP(S) traffic to use a proxy, and accept that you will have to manually add your proxy's cert to every browser in use in your organization or home (this *is* doable, in fact Cisco Umbrella has a product to do this).
*If you use an FQDN for your DoH setup (as every resource on the internet recommends)*, then OpenDNS's proxy block will be effective.
Please sign in to leave a comment.
Comments
7 comments