My networking knowledge is not good, so maybe it’s nonsense indeed. I just thought if everyone in the network knows what is blocked then DDoS protection could be distributed because every “reputable” switch/router in the network can block connection as early as possible without hopping close to destination creating unnecessary traffic

I’m wondering can DNS be extended to handle blacklisting. It already has some level of security resolving “C should have no control over A and B communication”.