With a DNS whitelist, all incoming packets are dropped unless the address is on the list. It is like ad block, but reversed. You are not blocking known ad servers, but all servers except those you actually want to connect to. It is a pain in the ass to look at logs and white list all the time. In reality, you only visit around a hundred sites or less that you actually need or want to connect to. Nothing gets in except what you want. That kills most vulnerabilities.
With a DNS whitelist, all incoming packets are dropped unless the address is on the list. It is like ad block, but reversed. You are not blocking known ad servers, but all servers except those you actually want to connect to. It is a pain in the ass to look at logs and white list all the time. In reality, you only visit around a hundred sites or less that you actually need or want to connect to. Nothing gets in except what you want. That kills most vulnerabilities.