Use both methods instead of just one. They differ in nature, and can be implemented at different perimeters of your network. Maybe there exists certain chokeholds in the network where multiple devices can be protected in one go?
Personally, I would have pure IP blackhole routing performed in the router providing WAN access to internal networks. A blanket protection for all desktops and 802.11 devices inside.
Many devices today are locked-down and editing hosts records can be untrivial. Instead of relying on 0.0.0.0 routing through hosts, the same effect can be obtained by setting up a personal DNS server e.g. bind9 with RPZ's listing the targeted domains[1].
Why all that hassle? Because an unrooted smartphone with a Wireguard link to the DNS server (or full-on VPN using that DNS server), can have lookups made through the server you control. And that DNS service is available to use on any local network/Wi-Fi one has to use. IIRC 3G/4G/5G WAN routes were harder to get right, but I think it was possible. One could always route all traffic through a purposeful VPN.
Defense in depth.
---
[1]: fb.rpz.zone:
;RPZ
$TTL 10
@ IN SOA rpz.zone. rpz.zone. (
37;
3600;
300;
86400;
60 )
IN NS localhost.
.facebook.com IN A 0.0.0.0
.facebook.net IN A 0.0.0.0
.fbcdn.com IN A 0.0.0.0
.fbsbx.com IN A 0.0.0.0
.fbcdn.net IN A 0.0.0.0
.edgesuite.net IN A 0.0.0.0
Use both methods instead of just one. They differ in nature, and can be implemented at different perimeters of your network. Maybe there exists certain chokeholds in the network where multiple devices can be protected in one go?
Personally, I would have pure IP blackhole routing performed in the router providing WAN access to internal networks. A blanket protection for all desktops and 802.11 devices inside.
Many devices today are locked-down and editing hosts records can be untrivial. Instead of relying on 0.0.0.0 routing through hosts, the same effect can be obtained by setting up a personal DNS server e.g. bind9 with RPZ's listing the targeted domains[1].
Why all that hassle? Because an unrooted smartphone with a Wireguard link to the DNS server (or full-on VPN using that DNS server), can have lookups made through the server you control. And that DNS service is available to use on any local network/Wi-Fi one has to use. IIRC 3G/4G/5G WAN routes were harder to get right, but I think it was possible. One could always route all traffic through a purposeful VPN.
Defense in depth.
---
[1]: fb.rpz.zone:
;RPZ $TTL 10 @ IN SOA rpz.zone. rpz.zone. ( 37; 3600; 300; 86400; 60 ) IN NS localhost.
.facebook.com IN A 0.0.0.0 .facebook.net IN A 0.0.0.0 .fbcdn.com IN A 0.0.0.0 .fbsbx.com IN A 0.0.0.0 .fbcdn.net IN A 0.0.0.0 .edgesuite.net IN A 0.0.0.0