This statement is completely false. I’ll point you to Barracuda’s ESS for starters.
What you can do is filtering the web access ( through URLfilter in a non-transparent proxy )
Why do I need to push proxy settings to every device when I can simply catch the DNS requests? Why do I need to introduce overhead on my bandwidth throughput to perform https URL inspection, when simply sending back a dead IP in the DNS response will suffice? You are telling me to climb Mount Everest to tie my shoelace… it is illogical.
educate your users ( yourself ) to examine exactly which links are to be clicked.
This is such an ignorant IT guy response. I used to think like that, and then one day I was sent a url that was using a special unicode character that my eye didn’t see the tiny little dot under the letter “n” that made it different from the legitimate URL (It blended into the underline). Lucky for me there were no dire ramifications, however I learned from the experience enough to know that saying “you should just be more educated” doesn’t cut it I’m afraid.
https://biṇance[.]com was the URL that got me. I didn’t see the little dot under the n. It came up as like the first result in a google search I did for binance, and only when I started getting email notifications that an API key had been made on my account etc. that I clued on and looked at my URL history and saw the character. Luckily my binance account was brand new I’d only just made it the day before and it had nothing in it yet. But it was a good experience to learn. It’s an easy mistake to make no matter how “educated” you may think you are. You add an underline to that link and that dot gets really hard to see. DNS blackholing would have protected me if that URL was on a community list.
So absolutely DNS blackholing solves the problems that I don’t just think, know, exist.
Here is a picture of that URL with an underline, tell me how well you spot the dot.
Why does anyone need to bother with DNS response tampering when they can deploy these attacks and ipfire offers zero protection against such attacks short of forcing every client to set a proxy and have their URLs filtered? A far easier attack to pull off than DNS hijacking, with a trivial mitigation, is disregarded by ipfire because of why? Coz you can force everyone to use a proxy? Not always, people working from home who VPN in, they don’t want proxy settings on their personal device and I don’t blame them.
And it is these 2bit, 5yo attacks that claim 95% of victims. Ya’ll so busy trying to stop China intruding into your basement that you let the script kiddies walk right in with these how to social engineer 101 attacks.