Feature request: DNS-based blocks

SIDN / spin

SPIN Core Software

https://spin.sidnlabs.nl

GNU General Public License v2.0

76 stars 9 forks source link

Feature request: DNS-based blocks #36

Open mdavids opened 6 years ago

mdavids commented 6 years ago

Sometimes service.example.com resolves to many IP-addresses, for example when it is provided by a CDN.

Blocking 'service.example.com' in the 'bolletjesapp' therefore has limited effect, until all possible options are blocked.

Proposal: a DNS-block. The user only has to block 'service.example.com' once.

ElmerLastdrager commented 6 years ago

Something to consider: what if the user's DNS traffic is encrypted, and is not seen by SPIN. Out-of-scope, but if we implement DNS blocking, this should be made clear to the user through the interface.

tjeb commented 6 years ago

There could be several ways to do something like this, with each their own possibilities and drawbacks; if you do direct dns-based blocking on the name (and on a suffix), then indeed, only plaintext queries would be blocked. Another option could be to not allow suffixes but only fqdns, resolve them, and block those IPs (and repeat after TTL, or a certain time based on that). Less powerful in itself, but more general than meddling with dns queries.