How To Block Top-Level Domains?

[RMerlin]

That option only blocks automatic promotion to DoH for clients that support it (currently Windows 11 and Firefox), it does not actively block DoH itself if someone manually enabled it.

 

[RMerlin]

And yes, a .zip TLD is completely retarded. The average user won`t be able to easily distinguish between a website URL and a file download.

 

[corporate_gadfly]

Yeah, Steve Gibson on his Security Now podcast agrees with you.

my list now shows: address=/zip/mov/foo/nexus/dad/phd/prof/esq/boo/rsvp/page/new/app/day/dev/club/icu/store/top/xyz/#

INSERT: @ColinTaylor added that omitting the "#" would result in lookups returning an NXDOMAIN rather than "0.0.0.0" or "::" (which I imagine would be a better/tidier outcome from a coders perspective... so done).

my list now shows: address=/zip/mov/foo/nexus/dad/phd/prof/esq/boo/rsvp/page/new/app/day/dev/club/icu/store/top/xyz/

I'm gonna keep adding TLD's until i'm COMPLETELY protected! nothing gets in, nothing get out!

...Then I go to the library and start reading books, newspapers, magazines again. Hope my library card still works (since my internet is now kaput).

Long time lurker. I post very seldom.

@Wallace_n_Gromit and others, I got bit by blocking .dev today. Apparently it is needed for registering an Amazon FireTV stick. The specific domain is:

na.prism.digital.amazon.dev

YMMV. When blocked, I got "profile not found" NETWORK_IO and home page not being available.

 

[drinkingbird]

Long time lurker. I post very seldom.

@Wallace_n_Gromit and others, I got bit by blocking .dev today. Apparently it is needed for registering an Amazon FireTV stick. The specific domain is:

na.prism.digital.amazon.dev

YMMV. When blocked, I got "profile not found" NETWORK_IO and home page not being available.

Blocking a TLD is probably going to end up being problematic eventually for anyone. You could of course add two entries, one to forward amazon.dev to upstream and another to block all other .dev. But only a matter of time before something else you need is using that domain.

For those looking at this thread in the future, be aware that URL filter in the GUI blocks both DNS lookups as well as any browsing to whatever you put there. So you can go in there and put .dev under block list and it will accomplish the same (technically more) than using a script to block it in dnsmasq. However obviously there is the same risk with that, that something will need .dev. There is also an additional risk that if .dev falls somewhere else in the URL it will block that too (like server.developer.amazon.com would get blocked). Unfortunately URL filter is not as flexible in that you can't permit amazon.dev and then deny all other .dev, so dnsmasq is still the place to do that. I guess in theory you could set it to permit list, put every TLD except .dev, then put amazon.dev. That would work but may be a bit strain on the router and is pretty messy to manage, and isn't foolproof as .community.dev would make it through since you'd have .com permitted.

But if looking to block specific domains (playboy.com or whatever) url filter is a great place to do it. Can be useful for certain TLDs that are typically only for malicious stuff too, but due to potential for that same string to fall elsewhere in the host/url, it probably isn't the best place to block a TLD regardless.