With all those pesky IoT devices calling home now, I wonder if it would be possible to add the ability to manually approve/deny DNS requests from a known client device(s), such as TV or some IoT junk.
Call this 'learning mode' or maybe even a permanent toggle for that device.
At least this way, we could prevent IoT from calling home to their mothership.
No, not really. One would have to block the entire Internet and then selectively whitelist stuff. Real-time will not be possible at all (at the DNS server would have to be restarted each time). Also we would first have to whitelisting of wildcard blocking entries. Nobody is currently working on this but - as always - we of course happily accept any incoming PRs and will test them as soon as possible for us.
There is no way to suspend the DNS resolution per request, even without it being per-client. There is also no way to return different responses to different devices. So although it sounds good in theory there is no way to make it work.
This can be done using iptables (and would best be done using MAC rather than IP)
eg: -A FORWARD -i eth0 -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
It would be a nice feature to be able to (right)click on the client(ip), see its current MAC and select an iptable block option (such as block for x seconds,min,hrs or permanent or unblock)