I am not familiar with dnsmasq at all (is this machine-local?), but absolutely love my PiHole hardware — you can even create rules which intercept hard-coded-IP DNS request and/or httpsDNS. You can also hard-code/intercept .TLD to local service IPs.

Programs like LittleSnitch never really seem like "enough" for me, because the computer has to boot before DNS filtering comes online. It also has the design error (IMHO) of pre-resolving IP addresses before clicking Accept/Deny(all).

A great blockrule for your personal firewalls would be to ban (at top level) icloud.com, apple.com, &c; system updates can then be performed manually using guides like <http://www.mrmacintosh.com>. Of course: this breaks everything (in exactly the way I prefer to compute).

▲

bombcar 7 hours ago | parent [-]

This works great (and I use it) internally but when you want things like your docker domains to work when you're on the go, it's annoying.

I have setup a VM running DNS on my laptop before ...

▲

ProllyInfamous 6 hours ago | parent [-]

It is not too difficult to allow your PiHole to serve you globally (but does requiring opening some ports in your firewall == additional security risk).

There is a simple checkbox within the DNS's web interface to `Allow WAN Requests`. You'd then only run into issues of accessing your local IP addresses if those hosts aren't configured correctly within your network rulesets.

----

I am a user, not an expert; by trade, I am a blue collar electrician. I know very little about internet topology except how to use simple open-source hardware. Perhaps what you said makes sense (e.g. that you cannot use outside your network, some service(s)).

	▲	bombcar 5 hours ago \| parent [-]
		Yeah that can work, though at that point I start to consider just exposing my "internal" DNS to the world at large - who cares if secret_service.mydomain.net can be seen by everyone to resolve to 192.168.88.4? You can also do VPN tricks, too.