RFC: allow redirection of user DNS requests to CloudFlare Family (or similar)
Before starting any implementation, I would like to discuss an idea, and see if there is enough interest in trying to join forces.
Right now, the Internet at large, rather than individual desktop applications, is the main source of adult-only content a child could encounter. As a father of two small children, I'd like to restrict access to a subset of all available websites which is deemed safe for underage children.
Cloudflare (among others, such as OpenDNS), offers a DNS server blacklisting several websites.
The issue is that a smart 11-12 years old can easily change the DNS address within the browser options if DoT / DoH is enabled. Guides to do so abound by just searching Google. The same can be said about browser extensions.
Also, other adults use the same computer as separate users, and they shouldn't be prevented to access restricted websites if they so wish.
To solve the issue, my proposal goes in the direction of creating a eBPF filter linked to the user slice cgroup. The filter can then force a redirection of DNS packets to a configurable DNS server such as Cloudflare's. I believe it should also be possible in a further iteration to detect DoH attempts and disallow them (in favor of DoT, which for this use case is preferable anyway and an acceptable compromise), or rewrite them accordingly.
Thus, I would like to collect feedback on the idea of creating a eBPF program and associated loader to tackle this issue, and looking for other interested users to collaborate in the effort.