Comment by ndriscoll
2 days ago
DNS blockers only work if the device/application is not adversarial or if you also have a smart enough firewall to block DoH, which is designed to blend in with web traffic. Once ECH is widespread, you'd likely need to MitM the device (so you need to install your CA, which is intentionally made very difficult and you might not even be able to do across all apps anymore on mobile devices? At least without enterprise MDM. And as was observed elsewhere[0], apps like spotify can contain a web browser), or perhaps use DNS requests as a trigger to briefly open a default deny outbound firewall.
Things have definitely been converging toward making it impossible for non-corporations to manage the devices they own, the network they run, etc.
This is very interesting thanks.
I agree that ECH is perhaps a stumbling block although as you say MitM, this is indeed possible to pursue considering the whole set up child account on device thing going on with many of these devices.
On the rest of of your points fair enough, but again I ask is it actually proportionate? Are we talking about children or black hats?
The black hats in this case are the software vendors. If your software prevents any ability to inspect any of its traffic (so you can't use external filters), and the OS doesn't offer ways to override/hook into that, and if the inbuilt parental controls are insufficient, you can't do much.
What are you going to do when every application (including web browsers) simply ignores and bypass your DNS filtering "for security" and every site is opaque (e.g. wikipedia looks just like pornhub to your router and every site is using one of a small number of major frontend proxies like cloudflare that's actively specifically working toward traffic opacity)? It happens that every major commercial non-server OS vendor (except Redhat?) is an ad company now, so they all have a reason to block your ability to filter traffic/restrict your configuration to only what they allow. And they're all working toward that.
Good point well made.