1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

DNSFilter bypassed with Android (Pie) 9's Private DNS

Discussion in 'Asuswrt-Merlin' started by K.Arthur73018325, Nov 10, 2018.

  1. K.Arthur73018325

    K.Arthur73018325 New Around Here

    Joined:
    Nov 10, 2018
    Messages:
    1
    Under Android 9, using the 'Private DNS provider hostname' option*, under Private DNS, allows the bypassing of the Asuswrt-Merlin DNSFilter (/DNSFilter.asp).

    *:under Android 9: Settings > Network & internet > Advanced > Private DNS > Private DNS provider hostname.
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,266
    Location:
    Canada
    That means it doesn't use port 53, in which case there's nothing DNSFilter can do.

    Sent from my P027 using Tapatalk
     
  4. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,757
    Location:
    UK
  5. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,266
    Location:
    Canada
    See, that's why I think DoH is a completely stupid idea from a technical point of view. It messes up with network architectures by reusing an assigned port to handle a completely different protocol.

    I hope that idea dies in a fire, and sanity will prevail as people will focus more on DoT instead.
     
    jrmwvu04 likes this.
  6. agilani

    agilani Senior Member

    Joined:
    Nov 30, 2012
    Messages:
    454
    Apparently in this day and age sanity is a tight commodity :(
     
    Makaveli likes this.
  7. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,757
    Location:
    UK
    Well there's some good news. If I'd actually bothered to spend more than 30 seconds reading that article I linked to :oops: I would have realised that it's DoT only, not DoH.
    So, given that DoT uses port 853 by default perhaps @RMerlin and @john9527 might contemplate whether this port should be included in the DNSFilter rules together with port 53? Similar to what I had to do with QoS here. Or would that not be possible because you're effectively tampering with the traffic?
     
  8. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,781
    Location:
    United States
    Have to think about it some more....but first thought is that it wouldn't work since the client thinks it's talking to one server, but in reality talking to a different server. My thinking is that this would break both DNSSEC and TLS encryption.
     
  9. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,266
    Location:
    Canada
    DNSSEC wouldn't be an issue, but TLS would be - the remote server would be unable to negotiate the TLS connection initiated by the client

    Best that could be done IMHO is to take all clients that have a DNSFilter policy, and explicitly block port 853 for these, to ensure they cannot bypass their enforced DNS.

    Eventually, if some of the servers offered by DNSFilter support DoT, they could also be used to enforce port 853 traffic through the selected server.
     
  10. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,757
    Location:
    UK
    Yes I was thinking along the same lines. It looks like Android P's "Automatic" mode will fall back to traditional DNS. And the DoT RFC suggests this is a valid course of action.
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!