spin icon indicating copy to clipboard operation
spin copied to clipboard
verified publisher icon SIDN

Feature request: DNS-based blocks

Open mdavids opened this issue 7 years ago • 2 comments

Sometimes service.example.com resolves to many IP-addresses, for example when it is provided by a CDN.

Blocking 'service.example.com' in the 'bolletjesapp' therefore has limited effect, until all possible options are blocked.

Proposal: a DNS-block. The user only has to block 'service.example.com' once.

mdavids avatar Feb 27 '18 09:02 mdavids

Something to consider: what if the user's DNS traffic is encrypted, and is not seen by SPIN. Out-of-scope, but if we implement DNS blocking, this should be made clear to the user through the interface.

ElmerLastdrager avatar Feb 27 '18 10:02 ElmerLastdrager

There could be several ways to do something like this, with each their own possibilities and drawbacks; if you do direct dns-based blocking on the name (and on a suffix), then indeed, only plaintext queries would be blocked. Another option could be to not allow suffixes but only fqdns, resolve them, and block those IPs (and repeat after TTL, or a certain time based on that). Less powerful in itself, but more general than meddling with dns queries.

tjeb avatar Feb 27 '18 10:02 tjeb