[HN Gopher] Show HN: Sinkzone DNS - Forwarder that blocks everyt...
___________________________________________________________________
Show HN: Sinkzone DNS - Forwarder that blocks everything except
your allowlist
Most site blockers work by blacklisting distractions. That never
worked for me, the internet is too big, and there's always
something new to waste time on. I wanted the opposite: allowlist-
only browsing. Block everything by default, and explicitly allow
only what I need. So I built Sinkzone: a local DNS forwarder with
two modes: Monitor mode: lets all traffic through, but logs every
domain so you can decide what to allow. Focus mode: only
allowlisted domains resolve; everything else is blocked (NXDOMAIN).
It's open source, written in Go, and runs locally on macOS, Linux,
and Windows. Works a bit like Pi-hole, but instead of blocking ads,
it blocks everything unless you say otherwise. I'm curious if this
would be useful in your workflow. If you try it, please let me know
what breaks, what works well, and what you'd improve.
Author : dominis
Score : 63 points
Date : 2025-08-06 16:08 UTC (6 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| artooro wrote:
| How is this better than using Pi-hole to do the same? It can also
| run in an allow only mode as I understand.
| daft_pink wrote:
| I think the idea is that it blocks everything on your machine
| instead of causing the whole network to go offline as piholes
| are generally applied to the entire home network.
|
| Your mileage might vary, but in my home, causing my smarthome
| plus my wife and children's internet to go offline might cause
| a bigger distraction to my focus. Also you couldn't use a pi-
| hole at work for instance.
| dominis wrote:
| I wanted to build my tool because eventually I want to support
| multi-tenancy. Custom allowlists and schedules for all family
| members.
| mikehotel wrote:
| - single binary file deployment
|
| - TUI based configuration
|
| - API endpoints
| pluto_modadic wrote:
| "can run" / "can be configured to run" / "is not documented but
| can" != "is purpose built for allowlisting workflow as simple
| as possible"
| dominis wrote:
| <3
| eszpee wrote:
| Sounds interesting! The Pomodoro app I'm using for focus times
| has this feature built in (I wrote about it here:
| https://peterszasz.com/finding-focus-through-intention-and-a...
| ), but before finding that, I would've definitely tried this.
|
| Improvement idea: Integrate with Apple Shortcuts, so the user
| could automate switching focus mode on and off, tied to changing
| Apple Focus mode.
| dominis wrote:
| Hey Eszpee, Thanks for checking Sinkzone out. I'm thinking
| about building custom schedules in the next iteration, that
| would support some basic pomodoro style scheduling for sure.
| buzicsotto wrote:
| This sounds awesome - I wish I could run it on my iphone, because
| otherwise it's not even gonna put a dent in my infinite capacity
| for slacking off....
| dominis wrote:
| It's on my list :)
| zikduruqe wrote:
| Run Tailscale/Wireguard on your iPhone, back to your RPi at
| home. Use your RPi as your DNS server. Something, something,
| profit.
| pozsi wrote:
| Will this work when I'm connected to the company vpn? We have a
| private DNS zone set up for our private network, and this would
| probably mess up my DNS config. It would be awesome if it worked
| though!
| dominis wrote:
| You can configure your upstream resolvers in the config, so I
| think Sinkzone can be placed in front of your VPN's resolver. I
| never tested this to be honest.
| fasouto wrote:
| Interesting approach... Initially I thought it was bit overkill
| but I found myself picking my phone when I have a site blocked on
| my laptop.
|
| Happen more than I'm willing to admit, so I guess I will give a
| try
| dominis wrote:
| I'm planning to address the issue for phones as well in the
| future.
| mlhpdx wrote:
| I built a DNS resolver on Proxylity[1] as a demo but it
| didn't occur to me that block by default was a use case. I
| might have to add that.
|
| My suggestion: Allow by ASN would be a clean (simple) way to
| get all of Google, etc., allowed at once.
|
| [1] https://github.com/proxylity/examples/tree/main/dns-
| filter
| lpman wrote:
| I usually edit my hosts file and point unwanted domains to
| localhost. This seems more elegant
| dominis wrote:
| I've used https://github.com/StevenBlack/hosts myself for a few
| years, I think this is a fantastic collection for hosts based
| blocking.
| q2dg wrote:
| AdGuardHome fills the same gap, doesn't it?
| dominis wrote:
| I'm not familiar with this project, just checked their GitHub
| Readme and if I understand correctly they block what you want
| them to block. Sinkzone does the opposite, it allows what you
| want to allow, and blocks everything else.
| q2dg wrote:
| Well, you can block everything using a wildcard blocking rule
| (for that, go to "Filters - DNS blocklists" and add this
| custom rule: ||*^ ) and then you can allow the domain (and
| subdomains, if needed, for instance
| "everything.ycombinator.com"; for that, go to "Filters -
| Allowlist" and add this: @@||ycombinator.com^ )
| ameshkov wrote:
| Alternatively, you can do something like this:
| *$denyallow=example.org|example.com
|
| Blocks everything except example.org and example.com.
|
| Works in AdGuard Home, AdGuard DNS or any other AG product
| with DNS filtering capabilities: https://adguard-
| dns.io/kb/general/dns-filtering-syntax/
| Duchambe_Double wrote:
| Yeap yeap - exactly what I needed! When on iOS?!??
| rookderby wrote:
| I like this tool a lot and think it's superior to my own
| automation tools to generate giant host file blocklists. So, I'll
| be looking into switching to sinkzone. That said, my
| understanding is that applications can still make direct
| connections where an application connects using an IP address
| (without looking it up via DNS). I guess I use firewalls for that
| but haven't gotten around to adjusting anything from the
| defaults. Also could use a reverse proxy but haven't taken the
| time to set one of those up yet either. Does anyone have
| recommendations for a 'second step' on the network security path?
| Setup a PF router?
| a022311 wrote:
| Looks really streamlined!
|
| Currently, when I need to focus, I use a separate device
| configured to block everything except 2-3 domains I really need
| to minimize distractions. What really makes Sinkzone interesting
| is the scheduling with focus mode which can be incredible useful.
| My current firewall, OpenSnitch only lets you toggle all rules at
| once, so Sinkzone could be useful for allowing just the focus
| domains.
|
| I think a useful feature to consider is having different profiles
| which would essentially be collections of domains to allow. So
| you could have "focus", but also "work" or "kids" as well
| allowing for more flexibility.
|
| As I previously mentioned, I'm currently using OpenSnitch [1] as
| a system-level firewall that has a similar allowlist-only
| functionality. While the popups to allow/reject a connection
| initially disturb your workflow, after a short period of usage,
| you end up with a small collection of rules and you'll pretty
| much only see them again when browsing new websites. The
| advantage over DNS-level blocking is that you also get to block
| per process and not just device (or network). Since it uses eBPF,
| processes can't get around it by using a different DNS server or
| something. I'm really missing profiles and scheduling though, so
| I hope you can build a viable alternative to switch to!
|
| [1]: https://github.com/evilsocket/opensnitch
| mlhpdx wrote:
| No DoH support? The browser seems like the source of
| distractions.
| dominis wrote:
| Thank you for the idea, I've created an issue:
| https://github.com/berbyte/sinkzone/issues/1
| cr125rider wrote:
| What does DoH mean?
| mlhpdx wrote:
| DNS over HTTPS, which is something that browsers (optionally)
| use to keep DNS traffic in an encrypted channel.
| doodlebugging wrote:
| I see it has a Windows installer. I might have to try that on my
| old Win7 Pro system.
|
| I will likely move on to Win10 now that it is ending support
| later this year so I might try there too. Windows support is best
| consumed in small chunks so once they deep-six Win10 it will be
| ready for consumption since the only "updates" it is likely to
| get are those strictly related to protecting it from malware.
|
| Years ago there was a software firewall called SyGate that
| allowed a user to block everything and then set allow rules as
| they needed so that the only applications that could get out were
| those explicitly allowed by the user. The internet was young and
| there were fewer bad actors so it was way ahead of its time on
| the consumer side. You could install the free version or pay for
| a premium version. It was bought out in the late 90's I think by
| Norton or one of those other big units (Symantec?) who used all
| the good parts in their own "improved" firewalls, for a lot of
| money though.
|
| I like this idea of blocking everything except the things you
| know you need.
| 57FkMytWjyFu wrote:
| https://github.com/henrypp/simplewall
| mfro wrote:
| For application level firewalling like you describe I use:
|
| https://github.com/tnodir/fort
| SturgeonsLaw wrote:
| While we're throwing out recommendations for Windows software
| firewalls, I've previously used and liked Portmaster. Nice UI
| and its open source
|
| https://safing.io/portmaster/
| cagenut wrote:
| real devops pro contrarian move "what if I broke DNS so hard it
| actually made me _better_ at my job "
___________________________________________________________________
(page generated 2025-08-06 23:01 UTC)