Content blocking does not seem to be working…
After doing some tests, if the end device is using DoH, instead of standard DNS, Pepwave Content Blocking is bypassed. As a test, I turned off DoH on the end device, ran standard DNS, and Content Blocking does work.
That’s a bummer.
This is more of an FYI post, but does anyone have a content blocking solution at the router level?
That is great to know! Thank you for sharing.
Hopefully this will make it to the bucket list of bug fixes for the next release. 
Secure DNS, be it DoH or DoT is just like a VPN in that it bypasses any rules in the router.
Hello @peparn ,
This is not a bug in the router’s firmware.
If you don’t want devices bypassing the router DNS, you must enforce BLOCKS to external DNS services, including Secure DNS (DoH and DoT). The router’s outbound firewall and traffic rules need to be created and configured to do this (it’s not just content filtering); we do this on the enterprise version of the Peplink routers (MBX, SDX, EPX); most of Peplink’s routers can block both DNS & Secure DNS when configured to do so. You need to understand the other networking implications of doing this, so be prepared for things to break and do some debugging.
Happy to Help,
Marcus
Marcus,
Do you block Secure DNS usage based on the DNS server name? If so, you must have a looooong list
Michael
Thanks for the heads up @mldowling but I think you meant to tag @bward who is the original poster, I had just acknowledged his post.
@Michael234 I agree this does not seem manageable. To me the fact that the router uses secure DNS to fulfill DNS requests happens/should happen downstream from the router local DNS proxy that is used by the network clients.
I think there are two different cases:
Am I missing something?
Cheers!
Network is configured to use the router DNS proxy and all clients go through the local DNS proxy. In that case the fact that the router uses secure DNS for missing entries in the proxy, should be irrelevant and the content blocking rules should work.
Yes, but only for old DNS. The router does not see new/secure DNS. Neither does the ISP. They look like HTTPS requests, they are HTTPS requests. Whole different thing. That said, one flavor of new DNS is easily blocked as it uses a fixed port number. The other flavor is HTTPS port 443.
Clients or some clients directly use an external DNS server regular or secure, in that case, unless there are rules to block or redirect those external requests, it is indeed logical that the router would not block content properly.
For old DNS, the router can prevent attached devices from using any DNS servers other than what the router wants them to use. Not so for new DNS, as far as I know.
Sounds like we are essentially saying the same thing, and it is logical.
There has been no update from @bward but now that I read his message again I realize I may have misread it. I assumed he was talking about the router using DOH or not, now that I read it again, it seems he was talking about an actual device on the network (end device), in which case there is indeed no way the pepwave router would be able to filter content (case#2) above.