I kept adding network defenses at home until my girlfriend started screaming

I set up an experiment: how far can I push home network security, blocking ads, trackers, and all sorts of dangerous links, before my girlfriend notices anything? It was fine until her Reels stopped working, and she started suspecting me of spying on her. But the real danger is that you should never trust your internet provider, a public WiFi, or especially your boyfriend to provide settings for your connection. Use VPN.

My home network is a fortress where I can decide how high to raise the (fire)wall and how deep I want the moat to sinkhole the network requests.

I have many internet-connected devices, including a game console, robot vacuum cleaner, smart TV, home theater receiver, computers, phones, and others.

They are all constantly doing something behind my back: sending telemetry, usage, and likely private data to the offshore servers, which then aggregate it, profile it, and return to me in the form of ads or worse.

I wanted to filter all unwanted traffic as much as possible. No ads on TV or receiver, no tracking from lightbulbs, less potential for sneaky links leading to anything malicious.

So the experiment idea was simple: I’ll keep adding network defenses one by one until my girlfriend notices anything.

It's very hard to find the balance between all the security and functionality, so I’ll let her be the litmus test that tells me where to stop.

My girlfriend is an average internet user who doesn’t know what DNS is and doesn’t bother to change these settings on her phone or computer—or her work laptop.

Which is very bad, and you’ll find out why.

Painful for a gamer

I recently built and installed a pfSense router-firewall as the main gateway to my home network, and it opens many configuration options—too many for me to understand.

But you don’t need any special equipment to secure yourself – similar results can be achieved with any router.

The first measure came as a default on the new router—no UPnP or NAT enabled. The abbreviations stand for “Universal Plug and Play” and “Network Address Translation.”

This was more painful for me, a gamer, and unnoticeable to my girlfriend. All home routers typically have no open ports, and it should be that way. However, for gamers, when they want to host multiplayer games, NAT temporarily opens specific ports, allowing incoming requests.

Disabled NAT means that I can only join games hosted by others and can no longer be a host. My Xbox warned that I won’t be able to use party chat or connect to some multiplayer games. But this is for security—no open ports means no hackers will exploit them to connect to my network.

With the firewall completely blocking incoming connections, next, I started introducing filters for outgoing connections to limit the appetite of home devices and apps we use. I will not tolerate all this tracking.

Blocking IPs and domains can break some websites

The second measure was network filtering using a security package known as pfBlockerNG-devel. This package can block outgoing requests to unwanted or malicious IP addresses. So, I set it up with basic settings to see if my girlfriend noticed anything.

This immediately makes parts of the internet inaccessible and blocks domains and IPs included in some basic blocklists, such as EasyList, consisting of bad IPs, ads, and trackers.

However, everything we used still worked just fine.

So I kept on adding.

The third measure was supposed to limit more traffic using a technique known as DNS sinkholing. The Domain Name System (DNS) is like a phone book for the internet that translates website addresses like cybernews.com to their corresponding IP addresses.

You can set up your router to provide your devices with a DNS configuration, and they will use the phone book of your choosing. Except those that have been configured manually to use a different DNS server.

So when a TV wants to access a server and asks my router for an IP, it won’t provide it. Instead, the router will lead the TV nowhere – to a sinkhole. The same applies to my girlfriend's devices and apps. If her app wants to send her data to a server that is included in the blocklist, it won’t be able to reach it.

Here’s how I implemented it. Instead of the Pi-hole I had lying around from the previous project, I chose to use the NextDNS service (no affiliation, I’m just a fan). The reason – it lets me tweak DNS settings remotely. This is useful if something breaks and my girlfriend, who works from home, needs to access something important.

I configured the router to act as a DNS forwarder, sending all DNS requests to a private NextDNS profile. Whenever a device uses the home network, it will receive this DNS configuration automatically via DHCP with its IP address.

In the beginning, I turned on all the available security options, and there were quite a lot of them:

• Threat Intelligence Feeds: blocks malware, phishing, and command-and-control server domains, updated in real time.
• AI-Driven Threat Detection: blocks domains based on AI-detected signals
• Google Safe Browsing: blocks unsafe sites detected by the tech giant.
• Cryptojacking Protection: stops connections linked to unauthorized crypto mining.
• DNS Rebinding Protection: blocks attacks that lead to private IP addresses.
• IDN Homograph Protection: blocks lookalike domains using similar characters.
• Typosquatting Protection: blocks mistyped domain scams (i.e., gooogle.com).
• Domain Generation Algorithms (DGAs) Protection: some hackers use algorithms to generate various malicious domains for their servers. This blocks known malware families.
• Newly Registered Domains: no to domains less than 30 days old.
• Dynamic DNS Blocking: blocks malicious subdomains that are free, or cheap, and often used in phishing without any validation or identity verification.
• Parked Domains: blocks ad-filled, low-value parked domains (domains that are registered but do not have a real website or content).
• Child Sexual Abuse Material: blocks domains hosting child sexual abuse material, detected with the help of Project Arachnid, operated by the Canadian Centre for Child Protection.

I also selected “Block Disguised Third-Party Trackers” in the privacy settings of NextDNS.

And I waited.

And still, nothing. I was staring at my girlfriend, waiting for any feedback, but she didn’t notice anything. Thousands of queries were blocked every day, but there was no noticeable degradation in user experience.

It took a while for her to notice – she wasn’t happy

It was time to pull out the big guns – the most aggressive block lists.

Blocklist is a pre-made list of domains and IPs that will no longer be accessible if applied. There are dozens of blocklists maintained by tech enthusiasts, communities, and even commercial companies. You can easily check what’s inside them, but it’s hard to track what’s changing over time, because they usually contain tens of thousands of IPs and domains.

Enabling all of the available block lists almost guarantees that you'll break something. So I did that.

One evening, on NextDNS page, I enabled dozens – almost all of the available blocklists – excluding three: “No Google,” “No Facebook,” which would obviously disrupt the services, and 1Hosts (Xtra), which is very aggressive and tailored for “tech-savvy users requiring maximum blocking, even if it breaks a few things (occasionally).”

The next morning, my girlfriend came to me with her phone.

“Why my Facebook looks like this?” she asked.

Her app lacked a section for stories.

“I also can’t hide posts anymore.”

The same was true for Instagram—she couldn’t view reels. I explained the experiment and promised to fix this quickly.

The simplest fix was to add the blocked specific domains to the “allowlist.” I opened NextDNS, checked the logs section, and here they were. You can find blocked subdomains, and it is easy to “allow” them with a few clicks.

But that wasn’t the only thing I broke. My girlfriend couldn’t log in to any apps or websites using her Google account, and she also lost access to several news sites that she’s subscribed to.

Again, I was patiently scrolling through the logs and adding domains to the allowlist one by one.

“So you’re obviously keeping track of what I do on the computer, huh?” she suddenly asked. “Well, damn, I don’t feel safe in my own home anymore.”

Suddenly, it dawned on me that technically, yes — I do, even if I didn’t mean to. All the security improvements made her feel less secure.

I tried to explain to her that I had just checked the logs to enable services for her, and visibility is only limited to top-level domains and some subdomains. Her traffic is still encrypted (HTTPS). But it was too late. She no longer wanted to continue, and I had to stop.

To the trash bin go my other defense plans, such as installing Suricata or Snort (a network intrusion detection and prevention system), which I don’t need, but want.

Still, the intended part of the experiment reveals that you can quite effectively filter out a lot of unwanted traffic. In our home network case, around 75% of all the queries coming from my network were blocked, without much effect on the real internet usage. I am still looking for things that are broken.

The other conclusion is that too much filtering can create trust issues. Worse, it shows that any router can be used to track users and leave them vulnerable to other attacks. Relying on default DNS settings can leave you exposed.

Don’t trust public WiFi, or anyone, even your boyfriend: set up your own DNS settings, and, preferably, use VPN

Any router can be used to log users' internet history and even attempt many kinds of cyberattacks. They can intercept network packets and extract information from them.

The WiFi in your cafe can perform DNS hijacking and spoofing, redirecting your requests to malicious websites, attempt man-in-the-middle attacks, intercept your traffic, or distribute malware.

Nowadays, most web traffic goes through the HTTPS protocol and is encrypted, which makes it very hard to intercept any information. But many risks prevail.

All modern devices come out of the box with no DNS settings—they expect the Internet Service Provider (ISP) or mobile carrier to provide them.

If you don’t want intermediaries sniffing your network traffic, you must change the device's DNS settings.

Preferably, use a secure, encrypted DNS service, such as DNS over HTTPS or DNS over TLS. This will hide your queries from an ISP or a tech-savvy partner.

On a Windows computer, go to Settings, choose Network & Internet, locate and select the internet connection you want to adjust, either Wi-Fi or, Ethernet” or both. Then go to Hardware properties, find “DNS Server Assignment,” and click “Edit.” You can set the preferred DNS server to “1.1.1.1 " and the alternate DNS to “1.0.0.1. " Both will direct to a free, private Cloudflare DNS service that doesn’t log browsing history.

Alternatively, you can use Google’s DNS servers, “8.8.8.8” and “8.8.4.4” respectively, or any other DNS service of your choice.

Then do the same on your phone, tablet, and other devices. Google provides detailed guides on how to change DNS servers on Android, iOS, and other systems, here.

Even with your DNS settings changed, the compromised public WiFis and other routers will be able to track IP addresses you connect to. DNS won’t protect you from leaking non-encrypted traffic and other metadata about your internet usage. For that, you need a VPN service that routes and encrypts your traffic through a proxy.

Quality VPNs usually handle DNS too, and force all the DNS traffic through their tunnel.

Disclaimer: The experiment did not affect my relationship with my girlfriend. We trust each other, and I had her consent to implement the described network improvements. I hope this will convince her to change her DNS settings. Meanwhile, our home network will implement a no-logs policy.