Identifying public clients (client ID?) for advanced blocking

[RainmakerRaw]

I have run my own DNS for many years, almost 20 years at least; everything from BIND and dnsmasq through AdGuard Home and Blocky. I came across Technitium recently, and am very impressed with its speed and ease of use!

Our family has varying needs. My wife and I just want to block ads, trackers and malware. However, for our children we want to also block NSFW, gambling, piracy and enforce safe search and so on. I have managed to get this working with the advanced blocking app:

{
  "enableBlocking": true,
  "blockListUrlUpdateIntervalHours": 12,
  "networkGroupMap": {
    "0.0.0.0/0": "default",
    "10.100.0.30/31": "eldest",
    "10.100.0.32/29": "eldest",
    "10.100.0.40/29": "kids",
    "10.100.0.48/28": "kids",
    "10.100.0.64/30": "kids",
    "10.100.0.68/31": "kids"
  },
  "groups": [
    {
      "name": "default",
      "enableBlocking": true,
      "allowTxtBlockingReport": true,
      "blockAsNxDomain": false,
      "blockingAddresses": [
        "0.0.0.0",
        "::"
      ],
      "allowed": [],
      "blocked": ["dns.google", "dns.google.com", "dns.opendns.com", "dns.cloudflare-dns.com"],
      "allowListUrls": [],
      "blockListUrls": [],
      "allowedRegex": [],
      "blockedRegex": [],
      "regexAllowListUrls": [],
      "regexBlockListUrls": [],
      "adblockListUrls": ["https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.plus.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/tif.txt"]
    },
    {
      "name": "eldest",
      "enableBlocking": true,
      "allowTxtBlockingReport": true,
      "blockAsNxDomain": false,
      "blockingAddresses": [
        "0.0.0.0",
        "::"
      ],
      "allowed": [],
      "blocked": ["dns.google", "dns.google.com", "dns.opendns.com", "dns.cloudflare-dns.com"],
      "allowListUrls": [],
      "blockListUrls": [],
      "allowedRegex": [],
      "blockedRegex": [],
      "regexAllowListUrls": [],
      "regexBlockListUrls": [],
      "adblockListUrls": ["https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.plus.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/tif.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/anti.piracy.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/gambling.txt"]
    },
    {
      "name": "kids",
      "enableBlocking": true,
      "allowTxtBlockingReport": true,
      "blockAsNxDomain": false,
      "blockingAddresses": [
        "0.0.0.0",
        "::"
      ],
      "allowed": [],
      "blocked": ["dns.google", "dns.google.com", "dns.opendns.com", "dns.cloudflare-dns.com"],
      "allowListUrls": [],
      "blockListUrls": [],
      "allowedRegex": [],
      "blockedRegex": [],
      "regexAllowListUrls": [],
      "regexBlockListUrls": [],
      "adblockListUrls": ["https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.plus.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/tif.txt", "https://nsfw.oisd.nl", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/anti.piracy.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/gambling.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/nosafesearch.txt"]
    }
  ]
}

This works great for our LAN DNS at home, but I also run an encrypted DNS server on a public VPS (AdGuard Home) so that our mobile devices can always be connected to our blocking DNS. I wish to replace this instance with Technitium also, but I can't see a way to identify 'public' clients so that they can be treated appropriately for blocking. Given that a particular client (e.g. a child) might have half a dozen IPv6 addresses from cellular, plus several WiFi network IPs during the course of a given day, I was hoping to find a 'client ID' type feature but none seems to be present?

For example, in AGH or Blocky one can identify clients by the subdomain or domain suffix used by them to connect to the server, such as tls://alice-iphone.dns.domain.xyz or https://dns.domain.xyz/dns-query/bob-laptop. The server thus knows what type and level of blocking to apply for that particular client, according to their config. In Technitium I'm relying on mapping IPs to network groups, which works fine on a LAN with static IPs, but falls apart when the client is a 'road warrior' with varying and often ephemeral IP addresses.

Have I missed a trick here, or is this just not possible to achieve? I'd like to move to Technitium everywhere, but this feature is a deal breaker for us to stop the children accessing inappropriate materials, no matter how unintentionally. Thanks in advance!

[ShreyasZare]

Thanks for the post and kind words. The Advanced Blocking app has feature to select group based on the IP address & Port the request was received:

This feature works with IP address and port only. So it wont seem to work for your requirement. This will need updating the app to support domain name for DoH. Will see how this feature can be added and let you know.

[RainmakerRaw]

Thanks for your answer! It would be wonderful if you could implement client IDs in the way I described. Typically, one would generate a wildcard cert (I use acme.sh with DNS challenge to obtain *.dns.domain.xyz) and then the config can simply be done inside the DNS server. Each client gets an iOS profile, or uses a custom address, to connect to the server (as described previously) which allows the server to see 'who' it is and to apply the appropriate blocks.

For now I may be able to use different ports as you describe; such as 443 (adults), 4443 (eldest/18+) and 4433 (kids) - though it's not ideal. The main issue with that is roaming and public WiFi, where outbound port access is often restricted. Alas, I'll see what I can do. Thanks so much again for the excellent software, and the speedy response!

[ShreyasZare]

Thanks for the feedback. I did check and adding domain based group selection is feasible. This feature will mostly use the same localEndPointGroupMap with support to allow entering domain names. Will get it added for the next update.

[RainmakerRaw]

That's fantastic, thank you!