> Luckily I had setup NextDNS to block newly registered domains along with a list of uncommon TLDs so the site got blocked.
I go further: I generate tens of thousands of variants of all the "sensitive" websites we use (like banks and brokers).
All the "levenshtein edit distance = 1" and some of the LED = 2. All variation of TLDs, etc.
I blocklist most TLDs (now that most are facetious): the entire TLD. I blocklist many countries both at the TLD level and by blocking their entire IP blocks (using ipsets).
For example for "keytradebank.be", I generate stuff like:
I don't care that most make no sense: I generate so many that those who could fool my wife are caught by my generator.
I then force the browser to use the "corporate" DNS settings: where DoH/DoT is forbidden from the browser to the LAN DNS. I can still use DoH/DoT after that if I feel like it.
So any DNS request passes through the local DNS resolver (the firewall ensures that too).
My firewall also takes care of rejecting any DNS attempt to an internationalized domain names (by inspecting packets on port 53 and dropping any that contains "xn--"). I don't care a yota about the legit (for some definition of legit): "pile of poo heart" websites.
My local DNS resolver has 600 000 entries blocked I think, something like that.
I then also use a DNS resolver blocking known malware/porn sites (CloudFlare's 1.1.1.3 for example).
So copycat phishing sites have to dodge my blocklist, the usual blocklists (which I also put in my DNS), then 1.1.1.3's blocklist.
P.S: some people go further and block everything by default, then whitelist the sites they use. But it's a bit annoying to do with all the CDNs that have to be whitelisted etc.
I go further: I generate tens of thousands of variants of all the "sensitive" websites we use (like banks and brokers).
All the "levenshtein edit distance = 1" and some of the LED = 2. All variation of TLDs, etc.
I blocklist most TLDs (now that most are facetious): the entire TLD. I blocklist many countries both at the TLD level and by blocking their entire IP blocks (using ipsets).
For example for "keytradebank.be", I generate stuff like:
I don't care that most make no sense: I generate so many that those who could fool my wife are caught by my generator.I then force the browser to use the "corporate" DNS settings: where DoH/DoT is forbidden from the browser to the LAN DNS. I can still use DoH/DoT after that if I feel like it.
So any DNS request passes through the local DNS resolver (the firewall ensures that too).
My firewall also takes care of rejecting any DNS attempt to an internationalized domain names (by inspecting packets on port 53 and dropping any that contains "xn--"). I don't care a yota about the legit (for some definition of legit): "pile of poo heart" websites.
My local DNS resolver has 600 000 entries blocked I think, something like that.
I then also use a DNS resolver blocking known malware/porn sites (CloudFlare's 1.1.1.3 for example).
So copycat phishing sites have to dodge my blocklist, the usual blocklists (which I also put in my DNS), then 1.1.1.3's blocklist.
P.S: some people go further and block everything by default, then whitelist the sites they use. But it's a bit annoying to do with all the CDNs that have to be whitelisted etc.