Seeing that you do not want this for one system, but for all systems on a LAN going to the Internet, the most logical thing is to check in the router.
A, very theoretical, solution then could be that the router resolves all destination IP addresses into hostnames and when the hostnames then are (or end in) a text that is in a blacklist, drop the packet.
IMHO programming the router to ones needs is the key here.
Yes. I tried to approach this through the router. However as per the link, the script they give has caveats which make it practically very limited and hence useless. So I started to look for a way to do it on an openSUSE system and through trying to understand how it works to hopefully “translate” it somehow to the router’s language (which I still need to learn).
IMO
Should clarify reasonable objectives.
So for instance,
Most people, even businesses don’t usually need to update the accuracy of their blocked addresses that often…
After all, even if you were a malware author/owner you couldn’t have IP addresses for your hosts changing every few minutes, hours or maybe even days… DNS caching servers might not update very often, even if they resspect the TTL value you set for your records. In other words, very frequent changing name resolution mappings is counter-productive resulting in failures which is why you have name resolution in the first place.
A very short (eg 10 second) TTL could be set, but that would practically force all queries to be directed directly or nearly so to your Primary DNS. Depending on what you’d consider an acceptable load, it <could> overwhelm a DNS server and would force name queries across very large distances.
I don’t know how much it’s still used but years ago block lists were published, some involved a fee but there were also free, community lists that were updated approximately weekly. Everyone from firewall administrators to end users running special apps like Peerblock imported these lists regularly (Peerblock stopped using free block lists years ago, but the app still exists).
So, that’s one possible solution that’s been around for eons…
You should also understand beforehand that scripts to auto-generate and update dynamically any kind of security setting is risky, and besides missing some will also generate false positives. In certain situations this can have a major consequence like when I wrote these kinds of scripts to automatically block suspicious activity to a webserver… I quickly learned that there can be a certain amount of normal “extra” activity that can be mis-interpreted as malicious and voila! - I had legitimate Users who were suddenly unable to access the website (until the block was removed) and would even block my attempt to remote into the machine to make fixes (resolved by re-assigning a new IP address to my machine).
You can consider looking at Parental Control applications…
Or, most Proxy Firewalls will easily support whitelisting and blacklisting IP addresses or FQDN, and sometimes are versativel enough to accept plugins for things like deep packet inspection. “window screen” firewalls like iptables won’t generally have the same capability as proxy firewalls but YMMV.
IMO,
TSU
Is it possible to handle this through AppArmor?