DNS Server Lockdown
-
In this video, I demonstrate how to lock down your DNS servers in both EdgeOS and UniFi. Once complete, this will allow your client systems and devices to ONLY use specific DNS servers that you specify, and no others. Great for ensuring all clients are going through the proper ad blocking, malware, and other types of content filtering.
-
Unfortunately, this is likely not true.
Browsers these days are using DOH (DNS Over HTTPS), so that traffic just looks like HTTPS traffic and goes anywhere it likes, save any rules you have in place for that specific protocol. -
@Dashrender Then you just block those domains and/or IP addresses as well as port 853 (DNS-over-TLS) and 784 (DNS-over-QUIC)
Cloudflare: https://developers.cloudflare.com/1.1.1.1/dns-over-https/cloudflared-proxy
Google: https://developers.google.com/speed/public-dns/docs/doh
Quad 9: https://www.quad9.net/doh-quad9-dns-servers/Browsers fall back to regular DNS when DOH, etc are blocked.
Interesting Read Here: https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/
-
@VoIP_n00b said in DNS Server Lockdown:
@Dashrender Then you just block those domains and/or IP addresses as well as port 853 (DNS-over-TLS) and 784 (DNS-over-QUIC)
Cloudflare: https://developers.cloudflare.com/1.1.1.1/dns-over-https/cloudflared-proxy
Google: https://developers.google.com/speed/public-dns/docs/doh
Quad 9: https://www.quad9.net/doh-quad9-dns-servers/Browsers fall back to regular DNS when DOH, etc are blocked.
Interesting Read Here: https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/
That article is terrible. It has a few OK points, but it's horribly written, and absolutely slanted against DOH. I just wish they would have written it from a neutral POV.
