An Actual Allow Only List
launched
Wade Bryant
Currently, DNS Filter does not block any content servers unless you add them to a block list. This means that if you create a policy, block everything that you can and set up an allow list, these contents servers will not be blocked. That is not a TRUE allow list. If an allow list is set, all other domains, no matter what category they are in, should be blocked. Period.
Minetta Gould
launched
Filtering Policies now include an Allow-List only mode toggle. See our release notes and knowledge base for details!
Minetta Gould
now
Great news — this one’s in progress! Our engineers are wrapping up the final touches on a feature that will make allow lists truly restrictive, blocking all other content by default. Thanks for the feedback that helped shape this improvement!
Minetta Gould
Merged in a post:
DTTS Feature
William
DTTS
Don’t Talk to Strangers. A bullet-proof circumvention protection for your DNS firewall. All DNS-less traffic is blocked unless approved by the user.
Noah Helterbrand
I looked over this and it would be a great feature and substantially increase security but a couple caveats first:
- Would be roaming clients only feature, and the roaming clients would need an IP filter driver for the OS. That's a lot of development work to cover all platforms.
- There would need to be an IP and IP range whitelist, and local IP's would need to be automatically excluded, otherwise it would cause a lot of issues for businesses using IP based apps between networks or over VPN's.
Nachman Weiss
very much needed when using a block all internet policys pecifically within a scheduled policy and we want to block internet for specific amount of time
Josh Lamb
Hello William. Are you talking about a whitelist-only policy, or about not letting any direct IP connections through?
William
Josh Lamb: I believe it’s more or less of whitelist. The way I understand it is blocks all ip’s that did not preced with a dns lookup.
Zero Trust Model with what we call Don’t Talk To Strangers. “Strangers” are IP addresses that were not preceded with a DNS lookup. To use an example different from the Crunchyroll hack, consider if you want to ping 8.8.4.4 (and the result fails, in red below) vs ping google-public-dns-b.google.com (which succeeds in pinging 8.8.4.4 because it was preceded with a DNS lookup, in green below).