Hard coded dns / IPs

**paul** · (This post was last modified: 12-14-2020, 07:58 AM by paul.)

If you use keexybox as DNS only exactly like pihole does, keexybox will not prevent on hard coded DNS.
But if you use it as Gateway, the anwser is "YES" !

Thanks to the role of default gateway, KeexyBox NAT any DNS queries. This means that even if 8.8.8.8 is configured as DNS on the client device, it is KeexyBox that will handle DNS query and thus allow the domain to be blocked. Below is an example of DIG query using 8.8.8.8 from a Windows workstation behind a Keexybox gateway.

Code:
C:\Users\user>dig -t a baddomain.com @8.8.8.8

; <<>> DiG 9.11.0 <<>> -t a baddomain.com @8.8.8.8

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57673

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

; COOKIE: b3d498e2a8be0e12bce7e0a45fd709d5abf3c4674147707b (good)

;; QUESTION SECTION:

;baddomain.com.                  IN      A

;; ANSWER SECTION:

baddomain.com.            0      IN      CNAME  keexybox.

keexybox.              604800  IN      A      192.168.1.253

;; AUTHORITY SECTION:

keexybox.              604800  IN      NS      ns.keexybox.

;; ADDITIONAL SECTION:

ns.keexybox.            604800  IN      A      192.168.1.253

;; Query time: 12 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Mon Dec 14 10:44:37 Arabie 2020

;; MSG SIZE  rcvd: 139

If you want to prevent devices that do DNS over HTTPS (DoH), you can Blacklist the domain of the DoH server, or you can block the IP address of the server by creating a firewall rule in Keexybox.

https://wiki.keexybox.org/doku.php/profi...e_firewall

**paul** · (This post was last modified: 12-14-2020, 07:58 AM by paul.)

If you use keexybox as DNS only exactly like pihole does, keexybox will not prevent on hard coded DNS.
But if you use it as Gateway, the anwser is "YES" !

Thanks to the role of default gateway, KeexyBox NAT any DNS queries. This means that even if 8.8.8.8 is configured as DNS on the client device, it is KeexyBox that will handle DNS query and thus allow the domain to be blocked. Below is an example of DIG query using 8.8.8.8 from a Windows workstation behind a Keexybox gateway.

Code:
C:\Users\user>dig -t a baddomain.com @8.8.8.8

; <<>> DiG 9.11.0 <<>> -t a baddomain.com @8.8.8.8

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57673

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

; COOKIE: b3d498e2a8be0e12bce7e0a45fd709d5abf3c4674147707b (good)

;; QUESTION SECTION:

;baddomain.com.                  IN      A

;; ANSWER SECTION:

baddomain.com.            0      IN      CNAME  keexybox.

keexybox.              604800  IN      A      192.168.1.253

;; AUTHORITY SECTION:

keexybox.              604800  IN      NS      ns.keexybox.

;; ADDITIONAL SECTION:

ns.keexybox.            604800  IN      A      192.168.1.253

;; Query time: 12 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Mon Dec 14 10:44:37 Arabie 2020

;; MSG SIZE  rcvd: 139

If you want to prevent devices that do DNS over HTTPS (DoH), you can Blacklist the domain of the DoH server, or you can block the IP address of the server by creating a firewall rule in Keexybox.

https://wiki.keexybox.org/doku.php/profi...e_firewall

Login
Username:
Password:	Lost Password?
	Remember me