0

I'm trying to configure my Fios G1100 to force DNS request to my internal DNS server 192.168.1.131. This device runs Pi-hole, which is configured to make DNS request to 1.1.1.3 and 1.0.0.3. This has worked great!

But, now I'm trying to restrict devices on the network from circumventing the DHCP's DNS server by manually configuring DNS. I had initially come across this article which gives a method to avoid this circumvention: How to prevent users from circumventing OpenDNS using firewall rules.

So, I have set up my Fios G1100 with the follow Access Control rule:

enter image description here

As I understand it, this rule will only allow 192.168.1.0, 192.168.1.1, 192.168.1.131 to make DNS request out of LAN.

I have rebooted the G1100 and verified that DNS requested were still working and routing through 192.168.1.131. They are.

Then on my Mac, I have gone into System Preferences -> Network -> Wi-Fi:Advanced -> DNS and added the 8.8.8.8 DNS server. Sure enough DNS is blocked on the device.

However, when I do the same thing on my Pixel 2 XL, the DNS requests are resolved and 192.168.1.131 is bypassed. I have mobile data turned off, and the Wi-Fi configuration is as follows:

Proxy:                  None
IP settings:            Static
Privacy:                Use device MAC
IP address:             192.168.1.120
Gateway:                192.168.1.1
Network prefix length:  24
DNS 1:                  1.1.1.1

What is allowing Android to bypass the Access Control rule?

roydukkey
  • 129
  • 4
  • Could I get a reason for the down vote? – roydukkey Apr 10 '20 at 21:19
  • 1
    Verify that your DHCP announces your DNS server correctly (seems doubtful judging from the data you shared) and that Android isn't using DNS over HTTPS (aka Private DNS). – fuero Apr 13 '20 at 20:30
  • 1
    You're right. I didn't even know about Private DNS. I went to `Settings -> Network & Internet -> Advanced` and turn Private DNS to off. And, got the same results as on my Mac. – roydukkey Apr 13 '20 at 20:54
  • 1
    Great! Make this an answer and accept it :-) – fuero Apr 13 '20 at 20:56
  • @fuero Android's Private DNS uses DNS-over-TLS (DoT), not DoH. – TJJ Jan 06 '22 at 03:02

1 Answers1

2

As it turns out, Android has the ability for DNS over TLS, otherwise called Private DNS. The Private DNS setting would appear to be using port 853 rather than port 53.

DNS over TLS has its own port, Port 853. DNS over HTTPS uses Port 443, which is the standard port for HTTPS traffic.

What is the difference between DNS over TLS & DNS over HTTPS

It appears port 853 is dedicated to DNS services, so blocking this port (in the same manner as port 53) shouldn't cause any problems. However, DNS over HTTPS uses port 443 which is not dedicated to DNS services and therefore should not be blocked.

roydukkey
  • 129
  • 4
  • One should consider that this blocking technique will therefor be overridden once apps and software (e.g. Firefox) start using DoH instead of normal DNS lookups. – TJJ Jan 06 '22 at 03:04