In clientless deployment scenarios, DefensX Anycast DNS currently returns an IP address that hosts the blocked page content. However, most of the traffic is encrypted, necessitating the installation of a certificate on the client device to display a block page. Installing such a certificate is impractical for guest users.
Furthermore, for IoT devices like printers, installing a certificate is not only impossible but also unnecessary for blocking purposes. When an IP address in the DNS response indicates a block page, these IoT devices attempt to make TCP connections to the blocked IP address.
It would be beneficial to introduce an option for selecting the blocking method in Anycast DNS scenarios. This option would allow us to choose either the default mode, which returns a specific block IP address, or a mode that returns 0.0.0.0 for blocked traffic. The latter approach would prevent TCP connections on the client side, as 0.0.0.0 is invalid for TCP, resulting in an immediate block by the operating system.