dnsbollocks is a work-in-progress defensive DNS proxy server for Windows, built in Go. The concept is straightforward and powerful: instead of trying to maintain an ever-growing blocklist of malicious domains, it flips the model entirely by operating on a whitelist-only basis. DNS requests are blocked by default unless the domain has been explicitly approved.

This is an interesting approach to endpoint security for several reasons:

• Zero-trust DNS: Rather than playing whack-a-mole with millions of known-bad domains, a whitelist approach ensures that only sanctioned traffic gets through. This is particularly valuable in locked-down enterprise environments, kiosks, or lab machines where the set of required domains is small and well-known.
• Written in Go: Go is a natural fit for network proxy tools — it compiles to a single static binary, handles concurrency well, and cross-compiles easily. This makes deployment on Windows machines simple without dragging in a runtime or package manager.
• Defensive mindset: The project's name may be cheeky, but the philosophy is sound. DNS is one of the most abused protocols for command-and-control traffic, data exfiltration, and phishing. A whitelist proxy sits at exactly the right chokepoint to prevent these attacks.

Who would find this useful? Sysadmins managing restricted Windows environments — think point-of-sale terminals, shared workstations, or testing labs — where you want tight control over what network resources machines can reach. Security researchers and homelabbers experimenting with DNS-layer defenses would also find it a clean starting point to fork and extend. Even parents wanting a simple, aggressive content filter could adapt this approach.

Being a WIP project, there's an opportunity to get involved early — contributing features like logging, a web UI for managing the whitelist, or support for wildcard patterns could shape the tool into something genuinely practical.