Who’s bringing sexy back? DNS FILTERING! WOO!

Actually, it’s hard to think of anything less sexy than a network service that most people don’t even know even exists.

Still, the idea that breaking the operation of DNS is a useful tool, is both obvious - and counterintuitive. Back in the days of web proxy servers, we put “undesirable” domains into the HOSTS file to essentially block the sites. DNS filtering is functionally the same thing, with extensive block lists essentially dead-end requests.

That’s of course assuming that the calls don’t have hard-coded IP targets (which wouldn’t be a great practice), or that the application/device doesn’t make DNS queries directly to DNS servers not listed on the connection properties. This is, in my opinion, a bad actor practice. Guess what? Google does it.

The solution is to block egress DNS calls from your LAN (aside from your local resolver/forwarder).

Ugh.

The video is meant to show what you can do, and why you’d do it.

And there are options for every level of curiosity, cost, and ability!