Open ghost opened 2 years ago
tnodir
commented
2 years ago Hi, Thanks for the feature suggestion.
I'll look at Opensnitch.
I was planning to implement the feature as following:
dnscrypt-proxy as global system wide DNS resolver from Fort's UIdnscrypt-proxy's filtering by FortSimilar mechanism uses the priv10.
What do you think about dnscrypt-proxy?
ghost
commented
2 years ago dnscrypt-proxy sounds like a good approach, I used PrivateWin10 and it seemed to do the job fine. Are you planning the implementation 'simple' like PrivateWin10 or you want something like Simple DNSCrypt or something inbetween?
The only problem I see, or better say the difference to the opensnitch firewall approach is that (correct me if I am wrong) if you go by the dnscrypt route then it will be a global thing, and for the way dnscrypt does things it will be more about 'blacklisting' domains. So, if you blacklist bing or some google domain it will be blacklisted everywhere, not by app. Also, everything is allowed unless you add the address to the blacklist so unless someone does a 'allowlist-only' mode, it is like only about blocking domains and not having too much control like it can be done just with IPs in Fort today.
Opensnitch on the other hand lets it do it by app so you can for example allow only bing domain for the browser but it will be blocked in windows search or the welcome screen and wherever it can be seen in Windows. or like when I used Linux, I had to whitelist a program that ran on wine, so all I did was to allow wine program with the license.example.com domain on it, and just like that everything worked as I wanted and everything else would stay blocked, so I didn't have to check the IPs and make sure I wasn't allowing it something I didn't want to.
Even in Fort I do something like that in the IPv4 tab, I have Opera VPN range IPs to the exclude list in Internet Addresses, and that means everything else in Opera stays blocked in Programs but I can browse if I use the VPN feature.
Those are the observations I can think of, since the implementations means like Fort acting as a front end of a 3rd party program. Of course, I could be wrong but I see and understand the reasons to implement Dnscrypt-proxy in Fort like PrivateWin10 did. it seems like it should be easier to implement and would do
tnodir
commented
2 years ago Ideally of course I want to block domains per applications if it'll be possible.
But we can't properly track which app requested the domain, because often requests go through DNSClient service.
Maybe we can workaround the problem by dynamically actualizing Fort's IP addresses for domains with interacting Fort <-> dnscrypt-proxy.
I need to research.
tnodir
commented
2 years ago 
canny[bot]
commented
2 years ago This issue has been linked to a Canny post: Block by domain :tada:
6677028
commented
1 year ago Hi, Thanks for the feature suggestion.
I'll look at Opensnitch.
I was planning to implement the feature as following:
- include dnscrypt-proxy to Fort's Installer
- optionally install the as global system wide DNS resolver from Fort's UI
dnscrypt-proxy- manage 's filtering by Fort
dnscrypt-proxySimilar mechanism uses the priv10.
What do you think about ?
dnscrypt-proxy
Have these features been updated in version 3.7.0?
tnodir
commented
1 year ago Have these features been updated in version 3.7.0?
No, this feature is not implemented yet.
6677028
commented
1 year ago I am a new user. Do you have a user manual? It's nice to have DNSCrypt Proxy. I won't have to use more https://github.com/DNSCrypt/dnscrypt-proxy
tnodir
commented
1 year ago @6677028 You have to use DNSCrypt Proxy. Fort can NOT block by domain names.
tnodir
commented
1 year ago 
realgooseman
commented
2 weeks ago Any updates on this ?
tnodir
commented
2 weeks ago Any updates on this ?
There are no plans for updates in the near future, because of other tasks.
Hi, It would be nice if Fort would block domains and have wildcards support and all that.
I think Simplewall used to have this feature, but I saw how nice it was when I installed popOS! to play with Linux and see if it was useful for me for the type of software I use, and the performance of wine and all that (it wasn't, Windows makes life easier). The only decent firewall I found to control apps connections was opensnitch and while it is not great, the only cool feature I found was that it can block by domain Open snitch wiki for how it works.
Blocking by IP should work most of the time and could even allow a feature like "block by country" to be implemented like (I think) Portmaster implemented, but in today's internet world here many companies have 1 domain linked to many IPs, blocking by domain could make things easier and better, and since you are working in the Network Rules tab, I thought it was a good day to request it so Hosts file doesn't have to be used for that anymore, and using it with OpenSnitch was cool and easy.
Thank you and have a good day.