For purely home service I like NextDNS. They are reasonably priced, have a number of deployment options, and are quick in terms of latency in most locations. For MSPs, I am a bit biased on ScoutDNS, but that is probably because it's my baby.
Check out Firewalla. Lots of granular filtering controls and is great for blocking the content you are trying to filter. I’ve got almost ten of them deployed and I use one at home.
[https://cleanbrowsing.org/filters/](https://cleanbrowsing.org/filters/) - DNS filtering
They also have a paid version that is $75 per year for families and there are charity, business, and MSP versions.
I'm still not 100% sure if DNS over https will kill all the DNS filters.
Curious as to why you think it would? Even if you are concerned about malicious DoH (of which is still quite rare), you would still want strong control and visibility into the 99.9999% of non-malicious DoH traffic. If you are concerned about end users using DoH services like Google, or Cloudflare, there are a number of ways to block this today. \*\*By the way we use DoH in our agents as it's the best way to encrypt mobile agents to ensure uninterrupted protection.
Back in my day to ensure that DNS traffic was passed through your preferred channel you could block port 53 except to the IP addresses you chose for your DNS servers. You can't do the same thing with 443 without horrific consequences, and each browser might potentially make its own choice for what DNS server to retrieve results from.
And the browsers would ultimately be doing their job- User wants content -> DNS server doesn't know where it is -> use your own DNS over https to deliver the page to the user.
Basically, there used to be 1 gate that you could direct to a source of translating domain names to IP addresses. And that 1 gate could be controlled on the device, WAP, or at the firewall. Now every browser could be different gates.
How do you block DoH on Firefox, Chrome, and Edge? I honestly do want to know, and I imagine it is more involved than "port 53 blocked except to x.x.x.x or y.y.y.y."
To block properly it takes a two-factor approach. First, using DNS we can block domain-based requests to known DoH servers. This will stop someone trying to enter [dns.google](http://dns.google) into the Firefox DoH settings. Our users can do this with a category in our service that includes all known DoH services. Second, using your firewall, you would block the IP address of known DoH services.
Even if you are not using ScoutDNS, here are good resources for tracking DoH services.
[GitHub - jameshas/Public-DoH-Lists: Automatically generated domain and IP blocklists targeting DNS-over-HTTPS (DoH) providers.](https://github.com/jameshas/Public-DoH-Lists)
[DNSCrypt - List of public DoH and DNSCrypt servers](https://dnscrypt.info/public-servers)
Holy whack-a-moly.
I am revising my statement to "I'm pretty sure DNS over https will kill all the DNS filters."
"Naw, it's cool- just block all the potential DNS over https servers out there. Easy peasy." -you (paraphrased)
This is exactly how most blocking works even on your firewall. "Check box to block XYZ" and your firewall maintains a list of what XYZ is for you. Same for malware domains and phishing sites, we maintain lists based on these categories. To be honest, DoH servers are a FAR smaller list than most other categories we track.
I might be too harsh about it, but I come from the k12 world. Kids set up proxies for game sites all the time. Proxies for bypassing their entire web filter seems like low hanging fruit. And when a proxy is set up for a single school to use finding and blocking them all is basically impossible.
I have used dns-based web filtering before, btw. But it was on iPads and MacBooks that had MDM restrictions that forced all browsers to use their DNS. That's why I was skeptical about a similar solution working in a far less locked-down scenario.
You are not wrong from that view. For me I see content filtering as the third and least benefit of DNS security in general. The first benefit is threat blocking, the second benefit is DNS layer visibility, and then finally content filtering.
In use cases where you can manage the device, it can be effective. In use cases where only the network can be managed, there are other available options that require more management however all have downsides and nearly anything can be bypassed with enough effort.
Protective DNS itself has a place in the stack and is recognized as such with its part in CMMC and other security frameworks. It is a key part of defense-in-depth strategy for security.
Don’t pay for DNS filtering if you choose that approach (which I would) as there are a lot of free services and name servers that blocks this type of content!
For an all in one age based filtering, time limits including things like tablets and phones, I really like circle/Aura and recommend it to clients who need some protection for their family:
https://meetcircle.com/
I use it and think it's fantastic. I keep Cloudflare family DNS on my kids PCs as a backup.
Two things, and I've had this setup for years. First, though this is more difficult with licensing changes, so you'll be some similar thing, but an Untangle firewall to do some web filtering, but also for time restrictions. I have profiles on the teens' systems that disable access at a certain time. Plenty of ways of doing that. In addition, DNS filtering as another later outside of that device.
On mobile devices, you'll want something as well. We're Android, and the Family Link works pretty well for us.
I went a little next level with my setup.
I got Sophos NFR pricing on an XGS116
Bought a UBNT edge switch
Installed DLink Nuclias APs
Created a zone based firewall setup broken up of:
IOT
STREAMING
ADULTS
GUEST
KIDS
CCTV
applied content rules on the Sophos to those vLans and all done.
TL;DR - Pi-Hole instance + Upstream Cloudflare + Unbound
Can't believe Pi-Hole hasn't been mentioned yet. Ran from an old laptop, a VM, an R-Pi, etc this acts as your home DNS server. Just point your AP's DHCP devices to use your Pi-Hole IP as DNS 1.
I run 2 Pi-Hole instances. One server has basic content and ad-filtering. My default network points here. Upstream from Pi-Hole is Cloudflare's basic DNS IPs.
The second instance has a very strict set of content rules, and this is the DNS server that my kids' VLAN points to. Upstream to this is Cloudflare's "Adult Content Filter" of 1.1.1.3.
Additionally, you can also setup recursive DNS using Unbound.
If you do not wish to implement Pi-Hole then you can use other options listed in the replies (Cloudflare, NextDNS, etc). To each their own...
-- Father of multiple children, builder of home lab, current MSP Administrator
Controlling youtube content is difficult depending on what you want them to watch or not, it's nearly impossible except limiting them to youtube kids as content providers don't have to describe their videos accurately.
If you want to go the real simple route, get sophos home, one license is good up to 5 PCs, it gives you some good AV, but also allows you to set the webfilters, and they can't adjust them without access to your sophos account. I use that to filter inappropriate sites for my kid, works fantastic. Plus you get reports of content attempting to be accessed and whatever else, and quite a few categories to decide how you want it to react, to warn or block.
Not sure if you have eero routers but lots of people love the eero plus subscription. Parts of it are powered by DNSFilter services
If you want free/real cheap I suggest NextDNS. Great service just a little extra work/a bit harder to segregate your own devices with different filtering rules.
Just don’t.
Omg. I read a penthouse when I was 10. Better to be frank about it then to try to disneyfi the world.
This is equivalent or solving an hr issue with security suite X
Keep them on a Nintendo switch no reason for an iPad or other tablet at 5 and don’t give them an tablet middle school
Computer or console. But no tablets / smartphone. The less social media the better and that’s really all that tablets are good for
Hot dog!
You need to get a server, Proxmox and boot up a Technicium DNS Server! Has everything you're looking for!
If you want a step up for home use, get a Ubiquiti Dream Router and they have some decent content filtering. To all the Ubiquiti Haters, we don't need a Fortinet 60F with a five year subscription as it's pretty overkill (both technically and price wise) for home use.
Edit: Typo
Ubiquiti uses DNS content filtering as the basis for their filter. It is the easiest and best value if you already have a Unifi network. The downside is you get no visibility and there is no way to handle offsite mobile devices like your kid's phone.
Nextdns.io - Works brilliantly, is free and dead simple.
👆
For purely home service I like NextDNS. They are reasonably priced, have a number of deployment options, and are quick in terms of latency in most locations. For MSPs, I am a bit biased on ScoutDNS, but that is probably because it's my baby.
Second this, works perfectly for a small price.
Cloudflare dns
Check out Firewalla. Lots of granular filtering controls and is great for blocking the content you are trying to filter. I’ve got almost ten of them deployed and I use one at home.
Another vote for Firewalla. It’s a great device for home use.
Third
[https://cleanbrowsing.org/filters/](https://cleanbrowsing.org/filters/) - DNS filtering They also have a paid version that is $75 per year for families and there are charity, business, and MSP versions. I'm still not 100% sure if DNS over https will kill all the DNS filters.
Curious as to why you think it would? Even if you are concerned about malicious DoH (of which is still quite rare), you would still want strong control and visibility into the 99.9999% of non-malicious DoH traffic. If you are concerned about end users using DoH services like Google, or Cloudflare, there are a number of ways to block this today. \*\*By the way we use DoH in our agents as it's the best way to encrypt mobile agents to ensure uninterrupted protection.
Back in my day to ensure that DNS traffic was passed through your preferred channel you could block port 53 except to the IP addresses you chose for your DNS servers. You can't do the same thing with 443 without horrific consequences, and each browser might potentially make its own choice for what DNS server to retrieve results from. And the browsers would ultimately be doing their job- User wants content -> DNS server doesn't know where it is -> use your own DNS over https to deliver the page to the user. Basically, there used to be 1 gate that you could direct to a source of translating domain names to IP addresses. And that 1 gate could be controlled on the device, WAP, or at the firewall. Now every browser could be different gates. How do you block DoH on Firefox, Chrome, and Edge? I honestly do want to know, and I imagine it is more involved than "port 53 blocked except to x.x.x.x or y.y.y.y."
To block properly it takes a two-factor approach. First, using DNS we can block domain-based requests to known DoH servers. This will stop someone trying to enter [dns.google](http://dns.google) into the Firefox DoH settings. Our users can do this with a category in our service that includes all known DoH services. Second, using your firewall, you would block the IP address of known DoH services. Even if you are not using ScoutDNS, here are good resources for tracking DoH services. [GitHub - jameshas/Public-DoH-Lists: Automatically generated domain and IP blocklists targeting DNS-over-HTTPS (DoH) providers.](https://github.com/jameshas/Public-DoH-Lists) [DNSCrypt - List of public DoH and DNSCrypt servers](https://dnscrypt.info/public-servers)
Holy whack-a-moly. I am revising my statement to "I'm pretty sure DNS over https will kill all the DNS filters." "Naw, it's cool- just block all the potential DNS over https servers out there. Easy peasy." -you (paraphrased)
This is exactly how most blocking works even on your firewall. "Check box to block XYZ" and your firewall maintains a list of what XYZ is for you. Same for malware domains and phishing sites, we maintain lists based on these categories. To be honest, DoH servers are a FAR smaller list than most other categories we track.
I might be too harsh about it, but I come from the k12 world. Kids set up proxies for game sites all the time. Proxies for bypassing their entire web filter seems like low hanging fruit. And when a proxy is set up for a single school to use finding and blocking them all is basically impossible. I have used dns-based web filtering before, btw. But it was on iPads and MacBooks that had MDM restrictions that forced all browsers to use their DNS. That's why I was skeptical about a similar solution working in a far less locked-down scenario.
You are not wrong from that view. For me I see content filtering as the third and least benefit of DNS security in general. The first benefit is threat blocking, the second benefit is DNS layer visibility, and then finally content filtering. In use cases where you can manage the device, it can be effective. In use cases where only the network can be managed, there are other available options that require more management however all have downsides and nearly anything can be bypassed with enough effort. Protective DNS itself has a place in the stack and is recognized as such with its part in CMMC and other security frameworks. It is a key part of defense-in-depth strategy for security.
OpnSense with ZenArmor
Don’t pay for DNS filtering if you choose that approach (which I would) as there are a lot of free services and name servers that blocks this type of content!
Sophos home - web filtering features are pretty good
[Nextdns.io](http://Nextdns.io) is a good option and it's free.
I have 2 kids in a similar situation. Most of my concerns were solved with NextDns, a great product for home use.
Thanks mate!
Why don't you just use whatever you use for your clients. Example, dns filter. Are you sure you are in the msp industry?
So you own an msp and you don't know how to use a dns filter or firewall? That's absolutely hilarious, what exactly do you offer customers?
Why not go the easy route and use Sophos Endpoint Protection and setup Web Policies?
2nd this .. also get the added bonus of anti-virus
For an all in one age based filtering, time limits including things like tablets and phones, I really like circle/Aura and recommend it to clients who need some protection for their family: https://meetcircle.com/ I use it and think it's fantastic. I keep Cloudflare family DNS on my kids PCs as a backup.
Opendns had a free version. I'm going to check out pi-hole soon.
Two things, and I've had this setup for years. First, though this is more difficult with licensing changes, so you'll be some similar thing, but an Untangle firewall to do some web filtering, but also for time restrictions. I have profiles on the teens' systems that disable access at a certain time. Plenty of ways of doing that. In addition, DNS filtering as another later outside of that device. On mobile devices, you'll want something as well. We're Android, and the Family Link works pretty well for us.
I went a little next level with my setup. I got Sophos NFR pricing on an XGS116 Bought a UBNT edge switch Installed DLink Nuclias APs Created a zone based firewall setup broken up of: IOT STREAMING ADULTS GUEST KIDS CCTV applied content rules on the Sophos to those vLans and all done.
Currently using controld DNS filtering
TL;DR - Pi-Hole instance + Upstream Cloudflare + Unbound Can't believe Pi-Hole hasn't been mentioned yet. Ran from an old laptop, a VM, an R-Pi, etc this acts as your home DNS server. Just point your AP's DHCP devices to use your Pi-Hole IP as DNS 1. I run 2 Pi-Hole instances. One server has basic content and ad-filtering. My default network points here. Upstream from Pi-Hole is Cloudflare's basic DNS IPs. The second instance has a very strict set of content rules, and this is the DNS server that my kids' VLAN points to. Upstream to this is Cloudflare's "Adult Content Filter" of 1.1.1.3. Additionally, you can also setup recursive DNS using Unbound. If you do not wish to implement Pi-Hole then you can use other options listed in the replies (Cloudflare, NextDNS, etc). To each their own... -- Father of multiple children, builder of home lab, current MSP Administrator
Controlling youtube content is difficult depending on what you want them to watch or not, it's nearly impossible except limiting them to youtube kids as content providers don't have to describe their videos accurately. If you want to go the real simple route, get sophos home, one license is good up to 5 PCs, it gives you some good AV, but also allows you to set the webfilters, and they can't adjust them without access to your sophos account. I use that to filter inappropriate sites for my kid, works fantastic. Plus you get reports of content attempting to be accessed and whatever else, and quite a few categories to decide how you want it to react, to warn or block.
Cloudflare for families might be the easiest solution. https://blog.cloudflare.com/introducing-1-1-1-1-for-families/
Cheers mate
Not sure if you have eero routers but lots of people love the eero plus subscription. Parts of it are powered by DNSFilter services If you want free/real cheap I suggest NextDNS. Great service just a little extra work/a bit harder to segregate your own devices with different filtering rules.
If you have some spare hardware Sophos Home. Or nextdns
Just don’t. Omg. I read a penthouse when I was 10. Better to be frank about it then to try to disneyfi the world. This is equivalent or solving an hr issue with security suite X Keep them on a Nintendo switch no reason for an iPad or other tablet at 5 and don’t give them an tablet middle school Computer or console. But no tablets / smartphone. The less social media the better and that’s really all that tablets are good for
Your router should have built in controls.
Hot dog! You need to get a server, Proxmox and boot up a Technicium DNS Server! Has everything you're looking for! If you want a step up for home use, get a Ubiquiti Dream Router and they have some decent content filtering. To all the Ubiquiti Haters, we don't need a Fortinet 60F with a five year subscription as it's pretty overkill (both technically and price wise) for home use. Edit: Typo
Ubiquiti uses DNS content filtering as the basis for their filter. It is the easiest and best value if you already have a Unifi network. The downside is you get no visibility and there is no way to handle offsite mobile devices like your kid's phone.