[ggg2]

so true. the fact that browsers have dns resolvers is weird.

to me only the kernel could do it, and it would limit outgoing port 53 by default to every other process.

if I want to set configuration on my hosts file I damn sure want everything to follow it, not have to worry about thousands of applications that might or might not use it.

[krferriter]

On Linux (and probably macos, windows), the kernel doesn't do DNS name resolution. The kernel provides the network stack which does IP, and also TCP and UDP. On Linux you need a tool that can do DNS operations, like NetworkManager, dhcpcd, dhclient, systemd-resolved. You could use selinux to restrict port access.