Allow and Block Lists

Article author
Joshua Lamb
  • Updated

The Allow list and Block list areas of a policy allow you to have complete control over your query traffic by defining lists of domains that you wish to allow/deny. Even Internationalized Domain Names can be blocked. Remember the rule that Allow list always wins!

allow-and-blocklist-allowlist.png

Domains are added to Allow list and Block list based on their Fully-Qualified Domain Name (FQDN), using the convention subdomain.example.org. Domains can be allowed or blocked at every level of the hierarchy:

  • subdomain.example.org - Would allow/block a particular subdomain.
  • example.org - Would block an entire domain name.
  • org - Would block all .org Top-Level Domains (TLDs)

Below is a comparison between proper and improper entries.

Incorrect Correct Explanation
www.yahoo.com yahoo.com The WWW is contra indicative because it is not necessary and would only block the WWW subdomain
https://facebook.com facebook.com URLs are not accepted by DNSFilter. Entries must be FQDNs.
198.251.90.71 example.org IP Addresses are inadvisable because they may change and filtering would be circumvented
*.ru ru Top-level domains may be blocked simply by their name, such as “ru, cn, tr”

Allow / Block List FAQs

  • Adding a domain name, or Top-Level Domain (TLD) will block the domain and all subdomains, except for some sites in which a subdomain is classified differently by DNSFilter than the parent domain.

  • When you add a domain to an Allow list or Block list, DNSFilter automatically also blocks the WWW subdomain. Thus, you may simply add “facebook.com” and “www.facebook.com” will also be included. Prepending WWW will actually function as a subdomain-level block, where a domain-level block is what is usually desired.

  • There is a specific order as to how categories, allow list entries, and block list entries are treated. The important rule of thumb is that the Allow List Always Wins. Below is the order of priority:

    • Allow List
    • Block List
    • Filtering Category
    • Uncategorized Domains
  • When a domain resolves to a CNAME record instead of an A record, the endpoint will do a second lookup for that CNAME record (and will continue doing so for any nested CNAME records). If any of the resulting CNAMEs are categorized as in a category that is blocked based on the policy's blocked categories or the policy's Block list. The block page IP will be immediately returned instead of the CNAME record's actual value. As such, in cases when attempting to allow a domain, it's also suggested to allow all the CNAMEs in the chain as well.

CSV Upload / Download

The CSV Upload/Download feature of the Allow list/Block list allows you to upload or download a list of domain names for mass addition to your policy or for export. You can upload a list of 2000 domains at a time.

Filtering___DNSFilter_2021-05-21_13-41-52.png

The recommended procedure for making the list is to create a simple text file, with one domain per line, and save it with the .csv file extension.

Add Notes to Allow and Block Lists

The ability to add notes to both the Allow and Block lists is the 11th most requested feedback item in our Feature Request portal. You can now add detailed notes so that you can memorize why specific domains were added to a policy, allowing you to reference internal tickets, tools, etc.

  1. When navigating to the Allow or Block list, there is a new column called Notes
    User-uploaded Image
  2. When adding a domain to either the Allow or Block list, you will now have the ability to optionally add Notes within the same pop-up.
    User-uploaded Image

Please note: The Notes' field is not a requirement when allowing or blocking domains. There is currently a 512-character limit for notes. The CSV Import currently does not support notes. The note is specific to the action of adding a domain, not the domain itself. What this means is that, if the domain is deleted, and later added, the note would not transfer. Additionally, Notes are not viewable in other areas of the product, such as the Policy Audit Log.

Adding to the Allow and Block list from the Query Log

You can now quickly add domains to your Policy's Block or Allow lists from the Query Log with our new shortcut actions! Go to Tools → Query Log and for each query you can choose to add or remove the domain to one or more of your Policies or your Universal Lists from the actions' menu.

57e67b0b2d22790e51ac2b9a0948676c.gif

Was this article helpful?

7 out of 9 found this helpful

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.