HN Reader

Show HN: Sinkzone DNS forwarder that blocks everything except your allowlist

31 dominis 21 8/6/2025, 4:08:23 PM github.com ↗
Most site blockers work by blacklisting distractions. That never worked for me, the internet is too big, and there’s always something new to waste time on.

I wanted the opposite: allowlist‑only browsing. Block everything by default, and explicitly allow only what I need.

So I built Sinkzone: a local DNS forwarder with two modes:

Monitor mode: lets all traffic through, but logs every domain so you can decide what to allow.

Focus mode: only allowlisted domains resolve; everything else is blocked (NXDOMAIN).

It’s open source, written in Go, and runs locally on macOS, Linux, and Windows. Works a bit like Pi‑hole, but instead of blocking ads, it blocks everything unless you say otherwise.

I’m curious if this would be useful in your workflow. If you try it, please let me know what breaks, what works well, and what you’d improve.

Comments (21)

fasouto · 39m ago
Interesting approach... Initially I thought it was bit overkill but I found myself picking my phone when I have a site blocked on my laptop.

Happen more than I'm willing to admit, so I guess I will give a try

dominis · 27m ago
I'm planning to address the issue for phones as well in the future.
eszpee · 1h ago
Sounds interesting! The Pomodoro app I'm using for focus times has this feature built in (I wrote about it here: https://peterszasz.com/finding-focus-through-intention-and-a... ), but before finding that, I would've definitely tried this.

Improvement idea: Integrate with Apple Shortcuts, so the user could automate switching focus mode on and off, tied to changing Apple Focus mode.

dominis · 1h ago
Hey Eszpee, Thanks for checking Sinkzone out. I'm thinking about building custom schedules in the next iteration, that would support some basic pomodoro style scheduling for sure.
lpman · 31m ago
I usually edit my hosts file and point unwanted domains to localhost. This seems more elegant
dominis · 28m ago
I've used https://github.com/StevenBlack/hosts myself for a few years, I think this is a fantastic collection for hosts based blocking.
pozsi · 1h ago
Will this work when I'm connected to the company vpn? We have a private DNS zone set up for our private network, and this would probably mess up my DNS config. It would be awesome if it worked though!
dominis · 57m ago
You can configure your upstream resolvers in the config, so I think Sinkzone can be placed in front of your VPN's resolver. I never tested this to be honest.
q2dg · 25m ago
AdGuardHome fills the same gap, doesn't it?
dominis · 22m ago
I'm not familiar with this project, just checked their GitHub Readme and if I understand correctly they block what you want them to block. Sinkzone does the opposite, it allows what you want to allow, and blocks everything else.
q2dg · 3m ago
Well, you can block everything using a wildcard blocking rule (for that, go to "Filters → DNS blocklists" and add this custom rule: ||*^ ) and then you can allow the domain (and subdomains, if needed, for instance "everything.ycombinator.com"; for that, go to "Filters → Allowlist" and add this: @@||ycombinator.com^ )
artooro · 1h ago
How is this better than using Pi-hole to do the same? It can also run in an allow only mode as I understand.
daft_pink · 1h ago
I think the idea is that it blocks everything on your machine instead of causing the whole network to go offline as piholes are generally applied to the entire home network.

Your mileage might vary, but in my home, causing my smarthome plus my wife and children’s internet to go offline might cause a bigger distraction to my focus. Also you couldn’t use a pi-hole at work for instance.

pluto_modadic · 24m ago
"can run" / "can be configured to run" / "is not documented but can" != "is purpose built for allowlisting workflow as simple as possible"
dominis · 21m ago
<3
dominis · 1h ago
I wanted to build my tool because eventually I want to support multi-tenancy. Custom allowlists and schedules for all family members.
mikehotel · 1h ago
- single binary file deployment

- TUI based configuration

- API endpoints

buzicsotto · 1h ago
This sounds awesome - I wish I could run it on my iphone, because otherwise it's not even gonna put a dent in my infinite capacity for slacking off....
dominis · 1h ago
It's on my list :)