Deny all by default
I am looking into NextDNS as a way to help further lock down the internet on top of putting some computers on their own locked-down VLAN.
Is there a way to block/deny all by default? only allowing sites that have been added to the allowlist? Or, if not by default, is there a guide to the best practice to to implement this on a profile?
In the end I want to make it so the computers running the profile only get Windows Updates, and have access to Office 365 and a few other choice services while blocking all other traffic.
You're in luck there is a sort-of-kind-of-notreally work around for the lack of this feature, there is a somewhat simple way via the webgui to DenyAll, BUT you'll need to keep an eye out for new TLDs being added. Under the Security section of a profile you can select every and all TLDs, it's much easier to do so via the API, but that should help you out.
You can find the list for hostnames to add to your allowlist here: Step 2 - Configure WSUS | Microsoft Learn
But this is a good idea I might give a crack myself tonight, MSFT update only profile.
I don't believe there's a straightforward way to do what you are requesting, but there may be a solution.: You can try blocking all TLDs and then adding specific entries to the allow list.
There's no easy way to bock all TLDs. It's a manual process and there's about 1,000 of them. I have blocked all TLDs except for the handful I use (.com, .net .org, edu, .us, .uk, etc). It was a hassle, but only had to do it once.
There's rudoyeugene/NXEnhanced (a fork of the discontinued NXEnhanced) that can simplify adding all TLD with just one click on the web GUI. That fork is also available in Chrome web store.
- 2 wk agoLast active