I have been working overtime hours and haven't even started looking at implementing this, but this may have actually been good. Let me try to summarize what we have so far (please feel free to correct/amend if I missed something):
- We add support for subscribed allowlists (whitelists)
- Domains on these lists can only whitelist domains from subscribed blocklists (adlists) - user-provided exact and regex blocked domains still have higher priority
Whether or not we support @@||abc.com^ on subscribed allowlists can still be discussed.
Programmatically, everything is possible. It just depends on the price we are ready to pay. Pi-hole could make sure that @@||...^ can only affect rules from the same blocklist but this will cause Pi-hole to run (possibly several, depending on the query domain's depth) multi-dimensional lookups against the tree. The implementation details are a bit tricky as we might have the same block rule on two adlists but only one has an @@||...^ exception resulting in that this is still to be blocked. Implementing is surely possible, but handling also the edge cases makes this non-trivial (and slow). If we go down this route, we will definitely have to make this opt-in as this will require a sufficiently powerful host.
The obvious alternative is to reject lists including @@||...^ altogether (we import zero domains). This is kind of the opposite of what this feature request asks for, but the present discussion seems to reveal that this is the better approach for network-wide DNS-based blockers.