Readit News logoReadit News
Posted by u/dominis 20 days ago
Show HN: Sinkzone DNS – Forwarder that blocks everything except your allowlistgithub.com/berbyte/sinkzo...
Most site blockers work by blacklisting distractions. That never worked for me, the internet is too big, and there’s always something new to waste time on.

I wanted the opposite: allowlist‑only browsing. Block everything by default, and explicitly allow only what I need.

So I built Sinkzone: a local DNS forwarder with two modes:

Monitor mode: lets all traffic through, but logs every domain so you can decide what to allow.

Focus mode: only allowlisted domains resolve; everything else is blocked (NXDOMAIN).

It’s open source, written in Go, and runs locally on macOS, Linux, and Windows. Works a bit like Pi‑hole, but instead of blocking ads, it blocks everything unless you say otherwise.

I’m curious if this would be useful in your workflow. If you try it, please let me know what breaks, what works well, and what you’d improve.

a022311 · 19 days ago
Looks really streamlined!

Currently, when I need to focus, I use a separate device configured to block everything except 2-3 domains I really need to minimize distractions. What really makes Sinkzone interesting is the scheduling with focus mode which can be incredible useful. My current firewall, OpenSnitch only lets you toggle all rules at once, so Sinkzone could be useful for allowing just the focus domains.

I think a useful feature to consider is having different profiles which would essentially be collections of domains to allow. So you could have "focus", but also "work" or "kids" as well allowing for more flexibility.

As I previously mentioned, I'm currently using OpenSnitch [1] as a system-level firewall that has a similar allowlist-only functionality. While the popups to allow/reject a connection initially disturb your workflow, after a short period of usage, you end up with a small collection of rules and you'll pretty much only see them again when browsing new websites. The advantage over DNS-level blocking is that you also get to block per process and not just device (or network). Since it uses eBPF, processes can't get around it by using a different DNS server or something. I'm really missing profiles and scheduling though, so I hope you can build a viable alternative to switch to!

[1]: https://github.com/evilsocket/opensnitch

rookderby · 20 days ago
I like this tool a lot and think it's superior to my own automation tools to generate giant host file blocklists. So, I'll be looking into switching to sinkzone. That said, my understanding is that applications can still make direct connections where an application connects using an IP address (without looking it up via DNS). I guess I use firewalls for that but haven't gotten around to adjusting anything from the defaults. Also could use a reverse proxy but haven't taken the time to set one of those up yet either. Does anyone have recommendations for a 'second step' on the network security path? Setup a PF router?
ectospheno · 19 days ago
I use hagezi lists via rpz for dns blocking with my own specified first for custom blocks and whitelisting.

Most of my ip blocking is by country or company. I have country, company-block, and company-allow lists in pf that are updated nightly.

I have found that once your dns list is sufficiently robust you rarely trigger an ip block. I have to add a new domain about once a month.

doodlebugging · 19 days ago
I see it has a Windows installer. I might have to try that on my old Win7 Pro system.

I will likely move on to Win10 now that it is ending support later this year so I might try there too. Windows support is best consumed in small chunks so once they deep-six Win10 it will be ready for consumption since the only "updates" it is likely to get are those strictly related to protecting it from malware.

Years ago there was a software firewall called SyGate that allowed a user to block everything and then set allow rules as they needed so that the only applications that could get out were those explicitly allowed by the user. The internet was young and there were fewer bad actors so it was way ahead of its time on the consumer side. You could install the free version or pay for a premium version. It was bought out in the late 90's I think by Norton or one of those other big units (Symantec?) who used all the good parts in their own "improved" firewalls, for a lot of money though.

I like this idea of blocking everything except the things you know you need.

mfro · 19 days ago
For application level firewalling like you describe I use:

https://github.com/tnodir/fort

SturgeonsLaw · 19 days ago
While we're throwing out recommendations for Windows software firewalls, I've previously used and liked Portmaster. Nice UI and its open source

https://safing.io/portmaster/

57FkMytWjyFu · 19 days ago
https://github.com/henrypp/simplewall
djfobbz · 16 days ago
I like SimpleWall but it’s really wonky at times. Especially the UI and its search algorithm for searching rules or programs.
pozsi · 20 days ago
Will this work when I'm connected to the company vpn? We have a private DNS zone set up for our private network, and this would probably mess up my DNS config. It would be awesome if it worked though!
dominis · 20 days ago
You can configure your upstream resolvers in the config, so I think Sinkzone can be placed in front of your VPN's resolver. I never tested this to be honest.
eszpee · 20 days ago
Sounds interesting! The Pomodoro app I'm using for focus times has this feature built in (I wrote about it here: https://peterszasz.com/finding-focus-through-intention-and-a... ), but before finding that, I would've definitely tried this.

Improvement idea: Integrate with Apple Shortcuts, so the user could automate switching focus mode on and off, tied to changing Apple Focus mode.

dominis · 20 days ago
Hey Eszpee, Thanks for checking Sinkzone out. I'm thinking about building custom schedules in the next iteration, that would support some basic pomodoro style scheduling for sure.
mlhpdx · 19 days ago
No DoH support? The browser seems like the source of distractions.
dominis · 19 days ago
Thank you for the idea, I've created an issue: https://github.com/berbyte/sinkzone/issues/1
suchoudh · 19 days ago
exactly my expection as well..
cr125rider · 19 days ago
What does DoH mean?
mlhpdx · 19 days ago
DNS over HTTPS, which is something that browsers (optionally) use to keep DNS traffic in an encrypted channel.
mountainplus · 19 days ago
How would you handle export / import functionality?

I really like the inversion of block to allow I think it makes sense.

In my use-case I would allow different lists for different profiles

(on the other hand I have blacklisted domains that I block regardless of using work / private / family profiles)

fasouto · 20 days ago
Interesting approach... Initially I thought it was bit overkill but I found myself picking my phone when I have a site blocked on my laptop.

Happen more than I'm willing to admit, so I guess I will give a try

minkzilla · 19 days ago
nextdns lets you set times when domains are blocked. Originally I had it just for my computer but soon realized I needed it for my phone as well.
dominis · 20 days ago
I'm planning to address the issue for phones as well in the future.
mlhpdx · 19 days ago
I built a DNS resolver on Proxylity[1] as a demo but it didn’t occur to me that block by default was a use case. I might have to add that.

My suggestion: Allow by ASN would be a clean (simple) way to get all of Google, etc., allowed at once.

[1] https://github.com/proxylity/examples/tree/main/dns-filter