[jerf]

Conceivably we could take a harder line on this, if we get a little deeper into the routing. We could make it so we only whitelist IP addresses outbound if we saw them come back through our DNS server, and network block everything else. Then if you bypass my DNS server, you don't get to talk to the Internet, unless you directly pick an address that something else has whitelisted that way.

I'm thinking about this, and feeling like the PiHole is a nice start, and I mean that sincerely, not sarcastically or dismissively, but what we need is a whole-house reverse firewall with that sort of capabilities, including everything the PiHole already does. If you did TLS interception, you could also pretty much implement uMatrix at the household level, for instance.

[Piskvorrr]

Interesting, interesting. Note that long DNS TTLs will break this: your DNS server needs to hand out artificially short TTLs so that clients will keep re-querying (within the local network).

[jerf]

I was also considering going the opposite direction and given extremely long permissions to the IP in question, i.e., longer than any practical DNS TTL. In general, I'm not too worried about a good IP becoming bad, and if an IP can be both "good" and "bad" this way I'm not going to block it with this technique anyhow. It'd be a potential hole, but if this non-existent project got to the point that it was being that directly targeted, that'd only mean we got pretty successful to even get to that point. :)

I should probably make an explicit point that I left implicit; I'm interested in anyone popping up and telling me "Hey, this thing exists already and it's http://...".

(I find myself wondering if I finally found my Rust project...)