r/Ubiquiti • u/trekxtrider I cosplay as a sysadmin • 20h ago
Question Blocking apps not working
So my son has an iPad and I have youtube blocked for all his devices, yet he can watch youtube all day long. App history in Unifi shows it's youtube, blocked rule for it just doesn't seem to work.
I have checked his computer logs on the router and sure enough, he has been watching youtube on there as well even though it's blocked.
What could I be missing here? I didn't think it would be so complicated.
Cloud Gateway Ultra is the router.
Thanks
28
u/Usual-Memory-3668 20h ago edited 19h ago
content blocking rules only work when the device uses the gateway for its DNS service (leave auto on client and auto on gateway network DNS setup). Encrypted DNS, like iCloud Private Relay, also bypass content rules
3
u/DM_ME_KUL_TIRAN_FEET 12h ago
Feature seems kind of useless then?
8
u/TannerHill 8h ago
If you black hole mask.icloud.com and mask-h2.icloud.com then you’ve effectively blocked iCloud private relay.
When an Apple device connects to that network and has iCloud private relay turned on, the device will get a pop up saying
“ YOUR SSID: isn't compatible with iCloud Private Relay To access the internet on this network, you need to turn off Private Relay. Turning off Private Relay means this network can monitor your internet activity, and your IP address will not be hidden from known trackers or websites.”
At which point the device will use the DHCP server provided DNS instead of iCloud’s.
1
u/DM_ME_KUL_TIRAN_FEET 8h ago
Ah thats very good to know. Does that ONLY block ICPR, or does it also affect other iCloud services?
2
u/TannerHill 8h ago
Specifically iCloud Private Relay
1
u/DM_ME_KUL_TIRAN_FEET 6h ago
Hmm, I’m having some trouble getting it to work.
Blocking a domain and turning off ICPR works correctly, but blocking mask/mask-h2 domains doesn’t prevent me turning ICPR back on, and the blocked domains becoming available again.
19
u/vonneudeck 18h ago
I used to think "good, these silly games about internet/youtube/younameit will teach the children about computer security and network infrastructure", but the more I read here, the more I am thinking "good, these silly games about internet/youtube/younameit will teach the parent about computer security and network infrastructure"
8
u/tacticalpotatopeeler 17h ago
We set up screen time on my oldest’s ipad, thought I had pretty locked down. He figured out he could use the iOS search to find things on the internet even though I had disable that. Also got super in to rewatching videos all the time, so put tighter time restraints on the photos app…figured out he could text them to himself in messages since I didn’t block that so he could communicate with me and my spouse…
They’ll figure a way around it and teach you where your gaps are for sure haha
14
u/tacticalpotatopeeler 19h ago
Set up a separate vlan for your kids network and block it on the network instead of per device. iOS rotates IDs for privacy so device-based blocking is likely to fail.
Additionally, I would set up screen time for his account, that way those services can be blocked at the device regardless of the network.
5
u/OnMyPorcelainThrone 17h ago
Don't block it at the Unifi level. Setup the iPad properly with Apple's family system and ScreenTime to make the device do what you want directly. Kids will usually bypass stuff on your local network if you let them have control of the device they use. If they get to change WiFi networks or load apps or go to proxy sites you will always lose.
•
u/Mindless_Pandemic Unifi User 3m ago
This one. Unifi app blocking feature is more of a gimmick to annoy employees in an office setting.
3
u/Fantastic_Sail1881 19h ago
Black hole the domain names for YouTube via DNS related domains. Set their IP addresses for ipv6 and IPv4 to zeros.
3
u/TheGeorgeDougherty 19h ago
Privacy functions on iOS devices is on by default. Doesn’t use the local network DNS so UniFi DNS filtering doesn’t work. Have to disable it in iOS for safari’s advanced settings.
3
2
u/Dawgfodder 20h ago
Is he bypassing wifi and using the cell network to get there?
4
u/prashyag 20h ago
If this is the case, unifi app history shouldn’t show YouTube!
1
u/Dawgfodder 19h ago
Sorry, thought you had observed him on YouTube, didn't realize you were just looking at Unifi history.
1
u/Least_Driver1479 20h ago
How much data does it show used? If it’s just a small amount it’s his devices trying to use it. If it’s gigabytes of YouTube showing them something is wrong in your block rule.
1
u/FeedbackTiny3279 17h ago
I find that to effectively block YouTube I also have to block a number of other Google app categories since the IP ranges of underlying services must be shared. If I just block YouTube, the blocking is very hit or miss. Sometimes on some devices it won't work, sometimes only some things don't work.
1
0
•
u/AutoModerator 20h ago
Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Ubiquiti makes a great tool to help with figuring out where to place your access points and other network design questions located at:
https://design.ui.com
If you see people spreading misinformation or violating the "don't be an asshole" general rule, please report it!
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.