If content filters and BPJM filters are to be used together, both rules must be configured with different priorities so that they are run through one after the other.
Likewise, for the first rule, care must be taken to ensure that the item "Observe further rules, after this rule matches" is activated.
In rare cases, the BPJM module may block desired domains because only (DNS) domains and not URL directory levels can be checked due to TLS. In this case, these desired domains can be added to the "BPJM Allow list", e.g. *.example.com.
The LANCOM router must serve as DNS server or DNS forwarder in the network, i.e. clients in the local network must use the router as DNS server. In addition, the direct use of DNS-over-TLS and DNS-over-HTTPS (possibly browser-internal) with external DNS servers by clients must be prevented.
- The DHCP server must distribute the router's IP address as the DNS server (set up by default by the Internet Wizard).
- Set up firewall rules that prevent direct use of external DNS servers, for example. by blocking outgoing port 53 (UDP) for clients from the corresponding source network.
- Setting up firewall rules that prevent direct use of external DNS servers supporting DNS-over-TLS, e.g. by blocking outgoing port 853 (TCP) for clients from the corresponding source network.
- Disabling DNS-over-HTTPS (DoH) in the browser.
Notes on synchronizing the firewall's DNS database:
- A new firewall rule is added, but the client still has a DNS record cached.
- Shortly after the router reboots and the client still has a DNS record cached.
In these cases, clearing the DNS cache on the client, rebooting the client, or timing out the DNS record on the client will help.
