Difference between dns_blocklist.sh and IP Address Blocklists

Hi,

Some time ago, I installed the dns_blocklist.sh script according to the description on GitHub.

Now I realize that ipfire has the built-in function “IP Address Blocklists”.
Do “IP Address Blocklists” the same as the script above?
If so, I think it’s better to use the ipfire built-in function!

These are two approaches

  • dns_blocklist.sh establishes blocklists in the name resolution; this is similiar to PiHole. ‘Bad’ addresses are not resolved, so the device can’t communicate with the IP
  • IP Adress Blocklists work on IP level; access to certain IPs is blocked by the firewall ( iptables ).

Both have pro and cons. Blocking on DNS level is independant from IP address changes of URLs. IP Address Blocklists are more maintained by the core devs.

An alternative to the dns_blocklist script is the RPZ approach currently under development by some IPFire users.