I am thinking about the feature which could improve security in the network.
It would be nice, if pi-hole could interact with iptables firewall and create allow rule for destination (dns resolved IP) and source (client IP who requested it).
Any client in the network could then access the site only when it was resolved by the pi-hole. If any site would be accessed directly by IP, without resolving the name, it would be blocked.
- any software with hard coded IPs would not be able to access the remote server via IP only. This prevents malicious code to contact Command and Control servers.
It is unlikely that bogus/malicious services on the internet are having dns registered domain.
- In case the malicious site does have registered dns domain, than it will be very likely filtered by pi-hole adlists or for example openwrt BanIP, which blocks a lot of IP subnets based IP sets which are updated daily.
packages/README.md at ae7f62d637d86b8fe6ae03cdce948ab2d25ff19b · openwrt/packages · GitHub
By this feature, there will be another layer of the security.
Or maybe this concept isn't workable?
I will be glad for any inputs, comments, idea extensions...