Any way to block all DNS queries and whitelist some?

Any way to block all DNS queries and whitelist some? This goes beyond the scope of URL filtering.

Say if I was an unfortunate Adobe user who required Windows. So, I only want to run Windows as a production machine and keep it isolated from the Internet as much as I can (and avoid MS and their shady updates along with it). But to use those shady Adobe apps, I am required to have a consistent Internet connection to periodically validate my shady ‘subscription’. So, I need to whitelist some of Adobe’s domains to make it work.

How would I make this work with IPfire? I am curious to see if this is possible.


I would also like to point out that I am doing this with two virtual machines with a NAT network in virtual box as a test.

1 Like

In my internal network I use Pi-hole IP for the clients and than let Pi-hole use IP-fire as dns.
Than I can blacklist or whitelist what and when I need it.

1 Like

My first thought was use the proxy.
Second thought make firewall rule to allow comunication to Adobe.
Then block that pc from everything else

I’ll add a shameless plug for something I have been playing experimenting with:

Instead of blocking DoH, you can use it to block MS.

Think of it as changing the topic title to MSblock - Blocking MS via RPZ.

Do you know the domain names (maybe with sub-domains) you want to block?


Well, I’m looking to block literally everything on that Windows client; not just MS. And only allow what’s necessary to run Adobe’s crap.

Well, for now, I am just doing this all with two virtual machines that are configured with a NAT network. IPFire is the DHCP for the client to get an IP address. But I use regular NAT for the IPfire VM to get to the Internet.

So, one VM is IPfire and the other being my Windows client where I want to block literally everything except for Adobe’s shady stuff.

But yes, I do have Pihole on my actual network.

How would I go about doing that? The second thought.

Something like.
Rule 1
Source “pc” NAT destination “Adobe ip” could be network group.
Rule 2
Source “pc” NAT destination " Any " drop

Could add ports or service group to Rule 1
@jon has some other post that use firewall rules that are more sophisticated.
Using RPZ and ASN. Which is very cool.
But not through the WUI.

I’d much rather avoid specifying a single IP address. Mainly because IP addresses do change. The apps themselves would use DNS as a means to validate with Adobe’s servers most likely.

That’s where what @jon did above is so amazing.
You could allow traffic to a specific Domain.
And block everything else from that client.
It’s just not built-in.

Alright then. Guess I’ll look into that.

So, can this be used to block all domains and whitelist a couple?

For MS, you might be able to use this RPZ. I know nothing about the list so make sure you review before using!

Okay. But I want to block everything except for Adobe’s crap servers when Adobe’s shady subscription is validated.

for block everything except for you want i have test this

	module-config: "respip validator iterator"

	name: allow
 	#zonefile: zonefiles/
 	zonefile: /etc/unbound/zonefiles/
	rpz-action-override: passthru
	rpz-log: yes 
	rpz-log-name: allow

	name: block
 	zonefile: /etc/unbound/zonefiles/
	rpz-action-override: nxdomain
	rpz-log: yes 
	rpz-log-name: block

in a


all is block you do add site in allowlist for any ipfire update and other domain for you


This is massive overkill. Yes, you could do the above but it will probably render everything unusable.

@dreaper - you really need to specifically list what you want allowed and what you want blocked.

yes is overkill but no complicate a allowed domain
i have add many domain ipfire work fine
but if web ui is possible is the best

1 Like

3 posts were merged into an existing topic: DoHblock - Blocking DNS over HTTPS via RPZ

As I said, the machine is only going to be a production machine. So, massive overkill is what I want. Don’t worry. This is just something I’m testing in a virtual machine. Because maybe I could use a Raspberry Pi later on for a single machine to keep the machine completely isolated and then only allow certain things to be accessible.

In this test case, I just need it to call home to Adobe’s crap servers to validate a ‘subscription’ nothing else. Or, I could use something else that I want to whitelist.

for block everything except for you want i have test this

That’s what I am I looking for. Block every domain and whitelist what I need.