Hi,
I’m currently using TechLockdown and I’m very satisfied with it overall — I plan to keep using it. It has been extremely helpful.
However, I’d like to raise a feature request / discussion point regarding browser enforcement and DNS behavior.
In my case, I need to use Arc for professional reasons. That means I can’t simply avoid Chromium-based browsers entirely. The challenge I’m seeing is this:
The current model seems to rely on blocking specific, named browser applications. But in reality:
• Not everyone uses only the listed browsers. • There are many Chromium-based forks. • Portable or alternative builds can be installed. • Electron-based apps can embed their own web views.
More importantly:
In some Chromium-based browsers, it only takes a few clicks to enable a custom DNS-over-HTTPS provider. Once a browser uses its own encrypted DNS resolver, any system-level DNS filtering becomes effectively irrelevant.
That means switching DNS inside the browser can bypass restrictions very easily.
So my questions are:
1. Would it be technically feasible to move toward a whitelist-based approach (only explicitly allowed browsers can run)? 2. Is stronger enforcement of system DNS (or blocking in-browser DoH overrides) something being considered? 3. Without full MDM, is true enforcement even realistic at the app level?
I fully understand that there’s a difference between friction and true enforcement. I’m curious where TechLockdown positions itself long-term.
Additionally, I’d be interested if anyone — even outside of TechLockdown — has ideas for:
• Blocking in-browser DNS changes • Preventing browser-level VPN/DNS overrides • Making custom DNS or browser VPN settings unusable at a system level • Hardening this without relying on Apple Business Manager or full MDM
I’m looking for a stronger technical model, not just behavioral friction.
Appreciate any insights.
