Hi,
With all those pesky IoT devices calling home now, I wonder if it would be possible to add the ability to manually approve/deny DNS requests from a known client device(s), such as TV or some IoT junk.
Call this 'learning mode' or maybe even a permanent toggle for that device.
At least this way, we could prevent IoT from calling home to their mothership.
Cheers.
Would the per-client limitation be an essential part? If so, it may not be possible.
Oh... how so?
Also, would it help if that IoT device was assigned a static IP?
We can block specific domains but we cannot do it for specific clients (either all clients see the domains blocked or noone).
I suppose that is fine (every client blocking); so a real-time yes/no prompt is possible, without too much extra complication?
No, not really. One would have to block the entire Internet and then selectively whitelist stuff. Real-time will not be possible at all (at the DNS server would have to be restarted each time). Also we would first have to whitelisting of wildcard blocking entries. Nobody is currently working on this but - as always - we of course happily accept any incoming PRs and will test them as soon as possible for us.
I understood this as without the per-client limit, this should be possible..
Anyway...
I'm not saying for 24x7 yes/no prompt, but only when we get into a 'mode' of sorts..
There is no way to suspend the DNS resolution per request, even without it being per-client. There is also no way to return different responses to different devices. So although it sounds good in theory there is no way to make it work.
This can be done using iptables (and would best be done using MAC rather than IP)
eg: -A FORWARD -i eth0 -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
It would be a nice feature to be able to (right)click on the client(ip), see its current MAC and select an iptable block option (such as block for x seconds,min,hrs or permanent or unblock)