19

Block all TLD by default, allow by exception

There are a crazy amount of useless TLDs on the internet.

Would like to see an option to block all TLDs and create an allow list. Maybe have a default allow list of the most commonly used (.com, .net, .gov, .org) and allow users to add whatever country codes or others they want)

9 replies

null
    • romain
    • 4 yrs ago
    • Official response
    • Reported - view

    We will soon improve that TLD selection modal, with "group" checkbox (so you can mass select/unselect all the new gTLDs for example, or select all easily and then unselect the one you don't want to block).

      • Calvin_Hobbes
      • 4 yrs ago
      • Reported - view

      Romain Cointepas will newly created gTLDs be blocked by default?

      • strawberry_chair
      • 1 yr ago
      • Reported - view

       

      We will soon improve that TLD selection modal, with "group" checkbox (so you can mass select/unselect all the new gTLDs for example, or select all easily and then unselect the one you don't want to block).

      Any update on this topic, I really would love to see that feature and to me it doesn't look like it should be something which is superhard to implement. 

      Maybe a workarround would be to be able to add a blocklist named "Block all TLDs" which has all TLDs in it and then we can choose to either whitelist/allowlist the TLD we want.

      • Whearour
      • 1 mth ago
      • Reported - view

      - I know this was some time ago, I'm not sure what the TLD section looked like at that time. Is this still something that improvements are being made on? I do see that there's a group (SPAMHAUS Most Abused), but there isn't any other groups, nor is there a group checkbox.

      I found this while searching for a way to "Block All". I see a fair number of these requests with varying details, but I think this is the highest voted so I'll add my comments here. It would be great to have a way to sinkhole all DNS requests except what's on the Allow list. Blocking all TLD's seems to be the way most people do this, but it would be much easier to have a global "Block All" setting. If TLD remains the way to do this, it would be nice to have a "select all" button that would also select any future TLD's that are added.

      The most practical use case would be a kids network, where its easiest to only allow access to a small handful of known good material and block everything else. In other words, move from a default allow model to a default deny model.

      My particular use case is an IoT network that should have internet access denied. However, DNS requests still leak through the default gateway. It would be nice to just sinkhole all of that as well. Like "kid mode", there's other ways to solve this (and I've implemented them), but having NextDNS just sinkhole everything on that profile would have made things very easy. I could also see a use case where someone wanted to give IoT devices internet access, but wanted to move to a default deny model and only allow them to resolve specific addresses.

      • Calvin_Hobbes
      • 1 mth ago
      • Reported - view

      not much has changed in many years 

    • Kummas
    • 3 yrs ago
    • Reported - view

    There are bunch of .lan TLD spamming my logs. Is there anyway to block TLD’s user defined ? Because ‘.lan’ is not available in the TLD list to block.

      • Calvin_Hobbes
      • 3 yrs ago
      • Reported - view

      Kummas that’s a reserved tld https://www.ietf.org/archive/id/draft-chapin-rfc2606bis-00.html

      you’d be wise to find what’s causing those lookups.  Consider enabling rebinding protection if you don’t understand what’s happening 

    • Coral_River
    • 2 yrs ago
    • Reported - view

    I would like to suggest an additional option to block :
    1) all TLD in non Latin alphabet,
    2) all TLD which have 5 and more letters, as they are rarely used.

    • NDNS_User_000
    • 1 yr ago
    • Reported - view

    +1

    I'd love a default-deny - I currently need to spend 10 minutes ticking "ADD" for every TLD :)

    This would mean that I could easily have a highly restrictive system-level allow-list profile, and another far less restrictive profile for a web browser.

    And I'd also be interested in a new feature alongside having a default-deny policy: when a *new* domain is detected, and only the first time that domain is observed, send an alert email. It would be extremly useful in some use cases - for example, on an internet-facing server which should only ever be resolving a very small number of domains, and any queries beyond that small set would be a security alert.  However, I recognise that this may be awkward to implement and/or expensive in terms of resource, so "newly observed for this profile" alerting would very much be a wishlist feature. This could perhaps be accommodated with a query streaming type of log, so that these issues could be ingested into an on-prem SIEM.

Login to reply

Content aside

  • 19 Likes
  • 1 mth agoLast active
  • 9Replies
  • 844Views
  • 7 Following