[hruzgar]

There is a possibility of doing it. Or better said I had an idea the last few months on how to possibly do this. I have written a detailed explanation here if anybody wants to see it:

https://discuss.privacyguides.net/t/why-did-nobody-do-this-d...

The idea basically is to block all ip's which weren't resolved by the dns server in past specific time period (for example in the last 3 minutes). So all static ip's would be blocked by default. When a domain get's resolved by the dns server, the ip address gets to the whitelist for a specific amount of time.

There is some issues. For example if somebody downloads something, the ip address might only get resolved once but the download happens by directly connecting to the ip address. But I think these issues are definitely solvable.

Would be interested to hear other peoples thoughts on this.

edit: of course this is for home network filtering purposes. If governments did this we are not in a good position.

[petronio]

It could work, as it's pretty rare for IP addresses to be used directly and not through DNS, but that also defeats the purpose of the mechanism: it doesn't add anything of value if everyone is using DNS. Even malware writers will purchase several domain names (several for redundancy from government take downs) so that they can rotate command servers easily.

[hruzgar]

yeah kinda true. But if you had a whitelist (i know this would be very hard to maintain etc) instead of a blacklist, you could have the most secure network blocker ever created for consumers. Malware could still leak from some of the "safe" domains but it would definitely be A LOT safer than any conventional ip or dns blocking.