[viraptor]

I'm curious what was the biggest issue with whitelisting. Was it about making sure services work, or about standard users' daily work? Did you try to comply on everything, or just have a PCI compliant zone?

Also, do you remember what was the specific reason for failing the audit? This all sounds interesting since you've gone though that experience.

[proactivesvcs]

Some of this stuff goes via CDNs. Once you start blocking those, a lot of collateral damage will turn up at unexpected times as providers switch CDNs.

[viraptor]

All of the first-party connections seem to have proper DNS names, even on CDN (microsoft.com, microsoft.com.akadns.net). The ad networks are obvious third party that could be dropped. I mean, there could be more stuff I didn't see, but from the screenshots, dns blackholing seems viable.

[sathackr]

DNS blackholing is playing whack-a-mole. I can blackhole scontent.xx.fbcdn.net today, and I have no assurance or confidence that they won't use scontent.xx.fbcdn2.net tomorrow.

DNS/FW whitelist is the only way to have even a little confidence that egress is controlled at this point.

[viraptor]

I meant blackholing as a technique. It can be either a blacklist or a whitelist, and yeah... whitelist seems more secure here