1

Deny all by default

I am looking into NextDNS as a way to help further lock down the internet on top of putting some computers on their own locked-down VLAN. 

Is there a way to block/deny all by default? only allowing sites that have been added to the allowlist? Or, if not by default, is there a guide to the best practice to to implement this on a profile?

In the end I want to make it so the computers running the profile only get Windows Updates, and have access to Office 365 and a few other choice services while blocking all other traffic.

6 replies

null
    • Andrew_Paolucci
    • 8 mths ago
    • Reported - view

    You're in luck there is a sort-of-kind-of-notreally work around for the lack of this feature, there is a somewhat simple way via the webgui to DenyAll, BUT you'll need to keep an eye out for new TLDs being added. Under the Security section of a profile you can select every and all TLDs, it's much easier to do so via the API, but that should help you out.

    You can find the list for hostnames to add to your allowlist here: Step 2 - Configure WSUS | Microsoft Learn

    But this is a good idea I might give a crack myself tonight, MSFT update only profile.

      • sdenike
      • 8 mths ago
      • Reported - view

       I hadn't thought of looking into using the API for this, honestly I hadn't even looked into an API at all but that could certainly automate the whole process.  

      I know my use case is a weird one but I have a group of computers that for security reasons (More so general trust) I want to limited the exposure online outside of the MIcrosoft Suite.  Let me know what you come up with if you make a profile yourself!

    • Calvin_Hobbes
    • 8 mths ago
    • Reported - view

    I don't believe there's a straightforward way to do what you are requesting, but there may be a solution.:   You can try blocking all TLDs and then adding specific entries to the allow list.     

    There's no easy way to bock all TLDs. It's a manual process and there's about 1,000 of them. I have blocked all TLDs except for the handful I use (.com, .net .org, edu, .us, .uk, etc). It was a hassle, but only had to do it once.

      • sdenike
      • 8 mths ago
      • Reported - view

       Ouch yeah doable, but not ideal for sure ... I am putting this as a back burner option for a rainy day when I want to plug in all the TLD's 

    • Martheen
    • 8 mths ago
    • Reported - view

    There's rudoyeugene/NXEnhanced (a fork of the discontinued NXEnhanced) that can simplify adding all TLD with just one click on the web GUI. That fork is also available in Chrome web store.

      • sdenike
      • 8 mths ago
      • Reported - view

       Thanks for this I will check it out as it sounds like it might be the way to go, I do wish they would add in this feature as I am sure I am not the only one looking to block all traffic by default to help lock down setups.

Content aside

  • 1 Likes
  • 8 mths agoLast active
  • 6Replies
  • 182Views
  • 4 Following