With a DNS whitelist, all incoming packets are dropped unless the address is on the list. It is like ad block, but reversed. You are not blocking known ad servers, but all servers except those you actually want to connect to. It is a pain in the ass to look at logs and white list all the time. In reality, you only visit around a hundred sites or less that you actually need or want to connect to. Nothing gets in except what you want. That kills most vulnerabilities.
DNS whitelist firewall on a router. Deny everything that is not whitelisted by address and port.
Most spyware traffic likely goes through ports 80 and 443 anyway. A firewall on the router won’t help there.
With a DNS whitelist, all incoming packets are dropped unless the address is on the list. It is like ad block, but reversed. You are not blocking known ad servers, but all servers except those you actually want to connect to. It is a pain in the ass to look at logs and white list all the time. In reality, you only visit around a hundred sites or less that you actually need or want to connect to. Nothing gets in except what you want. That kills most vulnerabilities.