Would anyone be so kind as to help me with basic DoH setup using CleanBrowsing DNS?
I’d like to use the following DNS servers (IPv4 only) listed on https://cleanbrowsing.org/filters/ site:
Here is what I tried so far:
First, I’ve make sure that no Dynamic Servers are in use. I’ve unchecked “Use Peer DNS” option from the PPPoE interface.
Next, I have added static DNS entries:
/ip dns static
add address=185.228.168.10 name=adult-filter-dns.cleanbrowsing.org
add address=185.228.169.11 name=adult-filter-dns.cleanbrowsing.org
Now, the problem is I do not know what to do next.
Not sure if it’s OK to completely skip DoH Certificate. PEM (cert) has validity until Wed, 15 Feb 2023 - I’m afraid that the DNS will stop working when the certificate will expire, but I don’t know if it works like that?
No idea how to configure the DHCP Server now for LAN clients. Normally I have the above 2 DNS servers set as “DNS Servers” for the DHCP Network. Should I select “No DNS” option instead?
After selecting “No DNS” for DHCP Network, I’m getting the following errors and DNS is not working at all for LAN clients:
Thank you for the reply. Please note that I have already added static DNS entries, as I clearly stated in the post above
Are the entries that I have posted incorrect?
This config is also wrong. Did you watch the video?
If you are using the router as the DoH client, you should not send the clients to the unencrypted DNS server, it makes no sense.
Remove the DNS servers entries from the DHCP Network settings, replace it with the router IP 192.168.0.1 (probably). The LAN devices should use the router as their DNS server, and the router will then query the DoH server.
I think filtering works great, but I’m not sure how to verify if everything indeed goes through the DNS-Over-HTTPS.
If I setup a custom DNS on the client side, for example 8.8.8.8 I still can access shady content like for example torrent sites. Is it normal?
Let’s make one thing clear right away: Beyond ideologies, objectively whatever you do you will never prevent a person from doing what he wants with himself.
A DNS filter will never prevent you from downloading a movie from any type of torrent,
nor will it prevent browsers from using their DoH that completely bypass yours, etc, etc, etc…
The DoH is designed to liberate the connection from the ideology of the provider.
(and help the Big Co. for get better the browsing data of the end users, and prevent the use of ad-blocking, etc.)
If you don’t have full control of the device used, and you are not with the person using it at that moment, you cannot prevent anything at all, and you remain helpless.
Rextended, if you see what kind of server he uses, most likly 99% it is for home environment to stop children from getting viruses or seeing porn banners.
So hold your ideology speech
Unfortunately, as more and more browsers have it integrated, you can’t prevent the browser from using DoH as well, which completely bypasses your settings.
Also some smartphone and tablet use embedded DNS (like 8.8.8.8 etc.) and ignore completely the DHCP server.
For prevent redirect or blocking, next gen of smartphone and tablet use own DoH…
A DNS filter will never prevent you from downloading a movie, image, etc. from any type of torrent (often torrents do not use DNS at all),
and do not prevent any other method, like spam email, and others.
Yes the reasons are completely irrelevant. Please do not derail my topic!
And yes, this is just home environment.
@rextended: Thank you for the comment, I understand that it is not possible to prevent users from using workaround options, but it is not my intention.
My intention is to have a simple DoH setup on my home router, and I’m still struggling with that. My real concern is NOT “why it is not blocking” but rather “why this option is not working”.
As noted above, I think it is not working - with custom 8.8.8.8 setup on the client shady content is available.
Should I now add the line below on top of that?
as also @Normis wrote,
you need to be sure that all DNS request must go to the RouterBOARD.
If for some reason some device bypass the router, setting manually the DNS 8.8.8.8 on IPv4 config, this mean than something is not how it appear.
You must provide a detailed network diagram, with real interlnals IP, anonymized external IP, and the, censored from private data, configuration export of the device.
dst-nat happen before forward on filter,
for drop other DNS request not directly directed to 192.168.0.1, and not intercepted, you must use forward chain. (this still do not block internal browser DoH)
the difference between writing something by hand versus doing an export,
it’s the same between the idea of how something is configured and how it is actually configured.
