Firewall efficacy problem

[CouchHobo]

Router: RT-AC68U
Firmware: AsusWRT-Merlin 386.2_6

I've been using DNSforFamily trying to protect my two sons from explicit content online. It works well but every once in a while I do some digging to see if I can find things I shouldn't be able to. When I do find something I use the Firewall URL filter to block anything I deem inappropriate. I got the idea for searching alternative search engines to see if lesser known search engines would be covered under the static DNS I'm using to filter the web. I stumbled across a search engine "Qwant" which still produces explicit results. I used the URL Filter to attempt to block it. Interestingly enough, the website is blocked properly if typing it directly into the URL bar, but not if I use a search engine's link to the site. This is the only website I've ever encountered that behaves this way. I was wondering if anyone else has encountered something similar, and/or could recreate this problem on their network. Any advice is appreciated as I'm just a dad and not an expert. Thanks.

 

[IAAI]

I would suggest using an external DNS services such as :

https://blog.cloudflare.com/introducing-1-1-1-1-for-families/ <<< Free

https://adguard.com/en/adguard-dns/overview.html#instruction <<< Free

https://nextdns.io/ <<< Recommended Paid

 

[RMerlin]

, and/or could recreate this problem on their network. Any advice is appreciated as I'm just a dad and not an expert.

It`s a lost battle unfortunately. Whatever protection measures you could implement on the router, they could easily bypass with a VPN, as all your router would see then is totally encrypted traffic sent to a remote VPN server, with no way to tell what`s inside that tunnel.

I have a friend who has a "problematic" teenage son. I spent a good amount of time with her configuring her router, putting in place Parental Control rules, and such. What did the teenage son do later on?

He reset the router to factory defaults. She found out when one day she was no longer able to connect over Wifi.

 

[Tech9]

It`s a lost battle unfortunately.

Indeed. VPN or DoH and the DNS filtering is out.

 

[RMerlin]

Indeed. VPN or DoH and the DNS filtering is out.

DoH itself won`t bypass URL filtering, however the day ESNI becomes widespread, it will be pretty opaque for anyone wanting to do traffic management.

 

[Tech9]

I mean whatever he has set as DNS on the router. DNSFilter won't stop DoH to another DNS service, unless the DoH servers are also blocked. It's a cat and mouse game and can go forever. Results not guaranteed.

 

[CouchHobo]

Thank you for your responses. Does anyone have any idea why that specific search engine would bypass the URL filter when accessed through a search engine link?

I would suggest using an external DNS services such as :

https://blog.cloudflare.com/introducing-1-1-1-1-for-families/ <<< Free

https://adguard.com/en/adguard-dns/overview.html#instruction <<< Free

https://nextdns.io/ <<< Recommended Paid

What are the advantages of using these services vs the method I'm using now using DNSforFamily?

He reset the router to factory defaults. She found out when one day she was no longer able to connect over Wifi.

This is a non-issue, he values his privileges too much to attempt this. He's relatively a really good kid, but the internet can be a very crazy place for a young kid with hormones kicking in and there are some very unhealthy environments. So I'm mainly trying to keep him out of the really distorted stuff.

I mean whatever he has set as DNS on the router. DNSFilter won't stop DoH to another DNS service, unless the DoH servers are also blocked. It's a cat and mouse game and can go forever. Results not guaranteed.

I am not familiar with DoH I quickly looking into it it seems like an alternate form that's uses https certificates? Is it possible to prevent someone from using this as a client or is it similar to a VPN where they just need a service on the client device?

UPDATE: I figured out that DoH is just a browser setting or windows setting and it bypasses my router DNS settings as you have suggested. (screenshot below) Is my only option to invest in child protective software at this point? I used to use one but I felt it was too invasive for him and I was constantly having to whitelist things which is why I tried an alternative method.

 

[Tech9]

Is my only option to invest in child protective software at this point?

I'm not familiar with child protective software packages. Never used one. What I know is the more you restrict content, the more interested kids will be to access it. If they can't do it at home, they will do it somewhere else. You can't easily restrict mobile devices connected to mobile networks, café hotspots or friends houses. You basically have to restrict your kids movements and no software can do that. As a parent, my advice to you is to build trust and openly discuss what's right/wrong with your kids. This way they will get the information from you and you have the control how to present it to them.

 

[Tech9]

If you want, you may try this:
Disable IPv6 on the router, use DNSFilter set to Router, open a free OpenDNS account, select categories you want to block, add custom URLs you want to block there. OpenDNS is a Cisco Umbrella based service and does the job well. OpenDNS can also block VPN/proxy servers. Install Diversion, but not for ad-blocking; find block lists of DoH servers instead to prevent browser/Windows DoH requests. May help, but for your home network only.

 

[IAAI]

What are the advantages of using these services vs the method I'm using now using DNSforFamily?

What I am aware of is NextDNS and it gives you a lot of control like blocking ads, safe search and enforcing YouTube restricted mode and much more . Try it out yourself , I think it's free for 200,000 queries a month .


if you want an alternative option have a look at this .
https://firewalla.com/

 

[L&LD]

All great suggestions from everyone above. But as already stated, all easily bypassed.

This is not the way (unless the kids are under 10-12 years old).