My next firewall will have some kind of machine/port/etc filtering that allows me to whitelist where say my tv/etc can communicate. Even if I have to write it myself because i'm not aware of anything 1/2 as user friendly as the 3rd party "Windows X Firewall control" applet that works on a network level. Yes my current firewall can do this, but it requires me hand entering ip/port/etc combinations in a UI that is terrible.
So, while I use an adblock list with my unbound caching DNS server, it only works with devices which honor the local network DNS settings, which are becoming fewer and fewer thanks to the efforts of the major players to _HELP_ everyone with DOH. A protocol without an easy way to MITM/filter the requests even when the user wants it.
> So, while I use an adblock list with my unbound caching DNS server, it only works with devices which honor the local network DNS settings...
I co-develop a FOSS DNS + Firewall for Android that prevents apps from doing their own DNS over HTTPS / TLS / QUIC by blocking all connections to IPs that the DNS client (embed within the firewall) hasn't resolved itself or the TTL of whatever answer it once resolved has expired. Something similar to this could and should be implemented by other firewalls, too. The result of such a blanket setting is devastating though, as some apps (like Telegram) refuse to do plain-old DNS and hence refuse to connect at all (so, one may have to selectively allowlist certain IPs / apps). This also has a happy side-effect (or annoying side-effect, depending on how one looks at it) of breaking apps connecting to static IP endpoints (ex: Orbot connecting to Tor bridges).
To be fair though, being able to MITM the DNS is kind of a massive security hole. One you are abusing in a productive way but one that many others abuse in very non-productive ways.
I don’t think that is fair at all. It is architecturally appropriate for every site to run DNS resolvers and most of them do outside of the residential space. This isn’t a man in the middle attack and selectively blocking queries according to local preferences doesn’t make it one.
So, while I use an adblock list with my unbound caching DNS server, it only works with devices which honor the local network DNS settings, which are becoming fewer and fewer thanks to the efforts of the major players to _HELP_ everyone with DOH. A protocol without an easy way to MITM/filter the requests even when the user wants it.