Clean.dnsforge.de is a tool to protect children from harmful things on the internet on top of advertisements and tracking.
Combining clean.dnsforge it with Hagezi ultimate and other strict filter lists would be counter productive. Such strict filter lists (as they are now available in hard.dnsforge.de) come at the cost of a certain amount of issues. Sites can break to some extent, this is to be expected and tolerated with a deliberately extreme level of filtering. For kids a more moderate approach is necessary.
If you want a very strict level of filtering plus adult filtering, you might want to use the free dns from Mullvad. They have an option for strict filtering + adult. Alternatively with such requirements you one should considering running your own Pihole/adguard home.
oh that’s right, the duplicate is now gone, the malware list is also under normal and the 1hosts under clean.
we have removed 1hosts from hard because it already contains many domains but is not kept up to date and does not respond to issues. as we do not keep a whitelist for hard, we think it is better not to keep 1hosts there any more.
ok the Smart-TV list is now also included in basic.
We have tidied up hard and removed outdated lists with orphaned domains. Many lists were already included in the Hagezi and OISD lists, so we have also removed these.
I was thinking here, while reading this thread, about whitelist and I have a question: why not use the same whitelist used at dnsforge on the hard dns? I think it could be good to remove false positives and at the same time have more strict rules.
yes, we had also considered it, but we decided that if someone chooses hard, they also get hard and there is no whitelisting there. If you can’t cope with that, you can still use normal.
Bei meinen Recherchen sind mir folgende spezifische Sperrlisten aufgefallen:
Insbesondere die Listen unter „Einzelne Dienste sperren“ sind sehr empfehlenswert. Verbindungen zu Meta und seine Produkte wie WhatsApp und Instagram bekommt man mit der „Facebook“-Liste ganz gut weg; Easylist und firstparty-trackers-hosts sind auch zwei recht umfangreiche Blockierlisten.
@testder: Wenn du harte Filterung magst, probier mal hard.dnsforge.de aus. Da wird mit Hagezi ultimate und OISD big maximal geblockt - ohne dass beliebte Dienste kaputt gehen. Wenn du spezielle Anbieter (Meta, …) oder Dienste (WhatsApp) blockieren willst, dann ist das absolut nachvollziehbar, aber in einem öffentlichen DNS nicht darstellbar - das nutzen einfach zu viele Leute, als dass man das für alle abdrehen könnte. Da musst Du Dir selbst ein PiHole oder Adguard Home aufsetzen.
Blocking newly registered domains is a good idea for one’s private pihole.
For a a public dns service like dnsforge it is not suitable as it inevitably (temporarily) blocks a lot of legitimate websites and requires constant whitelisting and clean-up of the whitelist.
Yes. But (as explained in your link as well) that’s a guessing game. A newly registered domain is a newly registered domain - nobody knows for sure whether it’s malicious or not. The short list has the ones with higher likelihood of being malicious. If they turn out to be malicious, they’ll end up in the regular lists. Otherwise they are falsely blocked for weeks for no other reason than being newly registered.
Again, for a private Pihole that’s a good layer of additional security. For a public dns with thousands of users such lists inevitably lead to a lot of whitelisting (and subsequent cleanup of the whitelist). That’s just not reasonable (and impossible for hard.dnsforge as that service does not have a whitelist to begin with).
I do NOT recommend to even use the Phishing lists aswell. They are programatically generated look-a-like brand imitations domains. NRD14/30 is absolutely NOT suitable for public resolver use!
The NRDs are for experienced admins with 6 hands free to whitelist!
My DGA NRD on the other hands are calculated high entropy domains with high confidence seen in several malware families and with help of Maltrail.