Understanding DNSFilter’s capabilities: DoH, NAT IPs, and blocking TLDs

Bailey Taylor Community Manager DNSFilter Staff

• February 19, 2025 23:31
• Edited

If you're exploring how to set up DNS-over-HTTPS (DoH), manage policies for different VLANs, or block top-level domains (TLDs) with DNSFilter, here are some helpful insights!

• DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT)
  • DNS-over-HTTPS (DoH) is supported in web browsers by using doh.dnsfilter.com as the server name, and for some browsers, you may need to use https://doh.dnsfilter.com/dns-query.
  • At the router level, we typically recommend using DNS-over-TLS (DoT) for better encryption. DNSFilter has a guide for enabling DNS-over-TLS, though implementation may vary depending on your router.
    • Keep in mind that using encrypted DNS with DoH or DoT may prevent the NAT IP feature from functioning. If you want to apply different policies per VLAN, consider using DNSFilter’s Relay service, which supports encrypted DNS while managing multiple private IP ranges.
• Managing Policies for Different VLANs Using NAT IPs
  • If you’re looking to assign different DNS IP addresses for different VLANs (e.g., guest, IoT networks), DNSFilter offers NAT IPs, which can be configured to route traffic to different policies. By pointing devices to specific NAT IPs, you ensure they follow the designated policy for each VLAN.
• Blocking Top-Level Domains (TLDs)
  • If you block specific TLDs like .ru or .cn, DNSFilter will block requests to those domains. However, this does not block IP addresses associated with those geographic regions, as the block only applies to the TLD itself.
• Finding the Closest DNS Server
  • If you’re interested in identifying which DNSFilter server you’re using, you can run the following command which will provide details about the responding server:

 nslookup -type=txt debug.dnsfilter.com

For those of you who are managing multiple VLANs, how have you set up your DNS filtering policies? Have you encountered any challenges or tips you'd like to share? Share your experiences below!

print

• Official comment

  

  Bailey Taylor Community Manager DNSFilter Staff

  • February 19, 2025 23:25
  • Edited

  

  Eric Nix Thank you for sharing your feedback and for your kind words about DNSFilter! Supporting DNS over “X” protocols and improving VLAN-specific configurations is a huge priority for us next year. We’re committed to staying aligned with industry trends and addressing customer needs like yours.

  I understand how important these features are to you, and we’re actively exploring ways to enhance functionality in these areas. I’d be happy to follow up with you as we make headway on these improvements to keep you updated on our progress!
• 

  Eric Nix

  • November 28, 2024 17:43

  

  If there was a way to separate VLANs with DoT/DoH(3) then I would consider returning back to DNSFilter.

  Really hoping DNSFilter improves this in 2025.  I loved using DNSFilter, but the lack of DoH3 or ability to configure DoT per VLAN without using the relay server was a deal breaker for me.  I can use a daemon to specify DoT per VLAN, but this is not possible with current implementation of DoT by DNSFilter.

  Here's hoping 2025 advances this! 

  0

Please sign in to leave a comment.