|
|
|
|
|
|
by ktta
2994 days ago
|
|
|
The average user doesn't want to buy more hardware, and flashing an existing router can be done in an evening. Also, why Bind9? I don't see what's wrong with dnsmasq, and changing hosts file for blocklist. Also, I often advise against network wide blocklists unless you're the only one using the network, since subtle things break. Here's what I do: https://news.ycombinator.com/item?id=14780738 The only thing different is that I use wireguard and dnsmasq now. |
|
|
Bind9 seems to be better for blocking. RPZ is made for it. I don't think dnsmasq supports RPZ though projects like Pi-Hole use dnsmasq. I'm not positive, but I think RPZ is more flexible. Bind9 seems to do anything you like. I may want to resolve DNS myself and not just forward.
I'm starting to look into configuring Bind9 to have different blocking per user using "views." Some want Facebook, some don't, so I can block accordingly. I'm not sure you can do that in dnsmasq. I did discover subtle things break, like you can't block Facebook and still access Instagram, thus the "views" approach. I don't want to change hosts file on every device, especially mobiles, and can even provide some protection for guests this way. I might do a captive page for a blocked domain and let people bypass in their view if they like, then I can have a "block-first" approach.
I do like network-wide blocking for the malware lists - if anyone acquires malware, it can't phone home (if it's on the list) and I can detect via logs. DNS as firewall seems to be a trend. I'm looking into blocking IPs via iptables as well using public lists. Maybe I'll even setup Snort or Bro. The possibilities are endless.