| Api for domain policy enforcement/filtering typically handled by server/gateway service handling dns requests. (per nat'ing, local/non-local addressing, subneting, virtual addressing, etc). aka app uses dns service. Typically, the gatway/server of dns service does appropriate checks per system/network administration setups/policies. Aforementioned dns service returns a 'failure to resolve' if domain/address doesn't meet 'valid/appropriate' policy/rules. An application on a properly configured network / box should only have to verify an address/domain exists/reachable via dns lookup[1]. An application / non-server box / non-gateway box attempting to do this via other methods may be taken to be malicious / violate network policy of domain box running app is on. From system/network administrator view, end user box suddenly starts using information related to malicious sites. aka system/network administrator sees 'information related to malicious sites' and not 'this a query to see if this information is related to a malicious site'. Failtoban[2] / unbound[3] / dnsmasq[4] or BIND[5] are some programs run as system service which make use of dns queries to let an app know if domain is a 'do not use'. ------- [1] : a) https://stackoverflow.com/questions/41060027/how-to-use-nslo... b) https://community.jisc.ac.uk/library/janet-services-documentation/how-block-or-sinkhole-domains-bind
[2] : fail2ban blacklisting : https://en.wikipedia.org/wiki/Fail2ban[3] : unbound blacklisting : https://www.howtoforge.com/how-to-set-up-local-dns-with-unbo... [4] : dnsmasq blacklisting : https://alblue.bandlem.com/2020/05/using-dnsmasq.html [5] : BIND blacklisting : https://community.jisc.ac.uk/library/janet-services-document... |