I find having one piece of low-power hardware that is always on a handy tool. A homeserver+router, basically. I can decloud a lot of things. Having a beefier piece of hardware makes it a non-issue. I try to run things in Docker for modularity. Total hardware cost is competitive with a high-end router, but I think I get more.
Bind9 seems to be better for blocking. RPZ is made for it. I don't think dnsmasq supports RPZ though projects like Pi-Hole use dnsmasq. I'm not positive, but I think RPZ is more flexible. Bind9 seems to do anything you like. I may want to resolve DNS myself and not just forward.
I'm starting to look into configuring Bind9 to have different blocking per user using "views." Some want Facebook, some don't, so I can block accordingly. I'm not sure you can do that in dnsmasq. I did discover subtle things break, like you can't block Facebook and still access Instagram, thus the "views" approach. I don't want to change hosts file on every device, especially mobiles, and can even provide some protection for guests this way. I might do a captive page for a blocked domain and let people bypass in their view if they like, then I can have a "block-first" approach.
I do like network-wide blocking for the malware lists - if anyone acquires malware, it can't phone home (if it's on the list) and I can detect via logs. DNS as firewall seems to be a trend. I'm looking into blocking IPs via iptables as well using public lists. Maybe I'll even setup Snort or Bro. The possibilities are endless.
Bind9 seems to be better for blocking. RPZ is made for it. I don't think dnsmasq supports RPZ though projects like Pi-Hole use dnsmasq. I'm not positive, but I think RPZ is more flexible. Bind9 seems to do anything you like. I may want to resolve DNS myself and not just forward.
I'm starting to look into configuring Bind9 to have different blocking per user using "views." Some want Facebook, some don't, so I can block accordingly. I'm not sure you can do that in dnsmasq. I did discover subtle things break, like you can't block Facebook and still access Instagram, thus the "views" approach. I don't want to change hosts file on every device, especially mobiles, and can even provide some protection for guests this way. I might do a captive page for a blocked domain and let people bypass in their view if they like, then I can have a "block-first" approach.
I do like network-wide blocking for the malware lists - if anyone acquires malware, it can't phone home (if it's on the list) and I can detect via logs. DNS as firewall seems to be a trend. I'm looking into blocking IPs via iptables as well using public lists. Maybe I'll even setup Snort or Bro. The possibilities are endless.