Little Snitch is one of my favorite apps in the world, and it's one of the very first things I install on any new Mac.

For those unfamiliar, it monitors and restricts outbound connections that your applications are trying to make. For example, you might be working away and suddenly get a popup saying:

"Chrome is making an outbound TCP connection to adserver.trackallusers.com, port 9876. Do you want to:

- Allow or Deny the connection...

- To all hosts in the domain trackallusers.com, that specific hostname, or that specific IP address, or all hosts everywhere...

- On this port or any port...

- Protocol TCP...

- Once, or for the next 15 minutes / 1 hour / 2 hours / until I reboot / forever"

...and it will postpone making that connection until you answer. You can set defaults for that popup according to your own preferences, for instance to block by domain name instead of hostname so that "server432.example.com" and "server592.example.com" don't have to be managed separately.

When you first run Little Snitch, it's a bit overwhelming. Safari and Chrome want to talk to all kinds of things on TCP/80 and 443, so you pretty quickly say they're allowed to make any 80 or 443 connection they want without further pestering you. Soon you have a good coverage of your apps' normal behaviors, and that's where it really shines. For instance, suppose your text editor commonly talks to "updateserver.example.com" to check for app updates. But this morning, it's suddenly trying to chat with "exfiltrator.badhost.ru". Uhh, maybe you want to block that and see what's going on.

And my earlier Chrome example isn't an exaggeration. It's surprising how many websites want to connect to ad or tracking servers on nonstandard ports. I actually appreciate that a lot because those connections stick out like sore thumbs and I can permanently deny them.

Sorry if this reads like an ad pitch for Little Snitch. I'm not associated with them, but I'm a very, very happy customer. I'm very happy to see something like it becoming available for my friends using Linux is awesome.

Using Little Snitch, and seeing the amount of phoning-home Chrome was doing was my "straw that broke the camels back". It tipped me over the edge: drove me back to Linux, Duck Duck Go, NextDNS (I'm not confident enough to "roll my own), turning everything off on my phone (location services, search helpers etc), and not using software that checks for updates or does the least amount of telemetry (I went from VSCode to Emacs)... favoring anything that doesn't track/use cdns/anything by default: whatever is vaguely usable (no matter how annoying) and tracks the least, wins.

I could block it all with Little Snitch - but it's a technical solution to a political problem. I miss a lot of the convenience, and I miss a lot of the slickness/lovely UIs... but Lil' Snitch taught me that that's the price!

> I'm not confident enough to "roll my own"

For local net, setting up pi-hole is do-able, whilst setting it up over a VPN involves a bit of additional tooling.

A 100% uptime DNS on public internet is tricky, but if you're okay with just DoH [0], the https://workers.dev free-tier would you give you a 100% uptime "anycast", low-latency DoH enough for a single device's worth of queries for a month. At $5, you'd have enough for a 100 devices.

I've one setup with adblock forwarding queries to 1.1.1.1 and I see e2e latencies as low as 50ms regardless of location. This setup is a bit involved: You'd need to convert blocklists (the one I use has a million entries) to either a long-string, custom LZ-compress it (~6 MiB) [1] and do a boyer-moore needle-haystack search on it for incoming questions (v8's native String#index impl uses a variant of boyer-moore) [2], or use a json-map at a cost of higher RAM usage but blazing-fast lookups (~25 MiB), or use succinct radix-trees for optimal RAM usage (~1.5 MiB) but relatively slower lookups, or use bloom-filters with low false-positive but fast membership queries at extremely frugal RAM usage (~200 KiB) [3].

That said, the simplest way to ad-block would be to point the workers instance to adguard-doh.

[0] https://news.ycombinator.com/item?id=21598413

[1] https://github.com/pieroxy/lz-string/

[2] https://stackoverflow.com/questions/5562297/fast-search-in-c...

[3] https://news.ycombinator.com/item?id=22017868