OK, yes, if you are the IT dept, you are on the hook. At least if you are the ones who picked windows. But maybe you didn't and strategically protested the directive to use windows that came from up above. Then again, you don't really have to care, not your problem...
It is your problem because IT’s job is to prevent this stuff from happening. It doesn’t matter if the order came down from above, you need to do what you can to mitigate damage.
There is a world of difference between "job" (try to do it properly) and "responsibility" (you are on the hook if things go wrong). If the order came from above and you pointed out the problems, it might still be your job. But not your responsibility.
You buy support contracts and software from Microsoft so you don't have to care. If Microsoft fails like in this case, you just shouldn't give them money. In all cases, no need to ask anyone but Microsoft for a workaround or other info.
Why even bother reading anything on this site or commenting here when you can always just go to the source or manufacturer? Obviously, you have all of the answers anyway. Its clear no one here has anything to offer you. The rest of us however find value in understanding the experiences of others.
There’s considerable precedent for seeding IP lists or using stealthy tactics (e.g. imagine how it’d be trying to block something which searches Google or Twitter, hits a random ad network).
Fair enough. On the other hand it can also prevent users from stumbling upon malware distribution sites by both blocking them directly and secondly blocking advertisements that often link to malware.
All of this of course is part of defense in depth, multiple layers of incomplete protection is better than nothing at all.
Oh definitely, I'm not saying that there's _no_ benefit — the key point is the distinction between something which you control to something you don't. DNS filtering is good for clients you control but it's important to understand that you can't force malware to use it to avoid accidentally thinking that you're protected against other threats (which I've heard various times from people who should know better but weren't thinking about it carefully in-depth at the time).
isn't PiHole some kind of external firewall?
that works 90% of the average-joe known botnets against a desktop PC, but it's not helpful for laptops / unknown-control endpoints. (or endpoints that are really good at hiding)
You can use PiHole or one of the many equivalents on a laptop or other location shifting device in a few ways:
1. Run it locally and have it configured to use a public name server as its source (if you run Windows/other there are not doubt native options that'll work this way too). Even if the network you connect to redirects requests to public DNS resolvers you'll still be going through your local filter. Though you'll need to set your machine to ignore DNS config via DHCP, and you'll have to point it at the local resolvers if the network simply blocks public DNS servers.
2. Run it in a VM or container, this would mean you can run PiHole specifically even if you are running Windows, and configure as above. Memory requirements are pretty low so unless you are using very low spec device it should fit.
3. If you have a hosted server (you can get a VPS big enough for PiHole for a few $/year) or a publicly addressable address at home, you can run a VPN and access it that way (assuming the network you are on does not block your VPN of choice of course). You don't have to run a VPN, but I'd not recommend running a publicly addressable DNS server. This will even work on phones depending on the OS there and the chosen VPN.
Of course these are not viable options for a lesser techie user.
PiHole is a network wide ad blocker that works at the DNS level. Basically you route all of your network's DNS requests through PiHole and it blocks any domains that are known ad/malware domains.
Aside from using IPs directly, modern malware often uses an algorithm to generate domain names for C&C communication. Good luck trying to use a domain whitelist on the modern internet because web developer seem to actively fight against such a concept as not using every domain they possibly can.
