The Allow list and Block list areas of a policy allow you to have complete control over your query traffic by defining lists of domains that you wish to allow/deny. Even Internationalized Domain Names can be blocked. Remember the rule that Allow list always wins!
Domains are added to Allow list and Block list based on their Fully-Qualified Domain Name (FQDN), using the convention subdomain.example.org. Domains can be Allowed or blocked at every level of the hierarchy:
- subdomain.example.org - Would allow/block a particular subdomain.
- example.org - Would block an entire domain name.
- org - Would block all
.orgTop-Level Domains (TLDs)
Below is a comparison between proper and improper entries.
|www.yahoo.com||yahoo.com||The WWW is contraindicative because it is not necessary and would only block the WWW subdomain|
|https://facebook.com||facebook.com||URLs are not accepted by DNSFilter. Entries must be FQDNs|
|188.8.131.52||example.org||IP Addresses are inadvisable because they may change and filtering would be circumvented|
|*.ru||ru||Top-level domains may be blocked simply by their name, such as "ru, cn, tr"|
Allow / Block List FAQs
Adding a domain name, or Top-Level Domain (TLD) will block the domain and all subdomains, except for some sites in which a subdomain is classified differently by DNSFilter than the parent domain.
When you add a domain to an Allow list or Block list, DNSFilter automatically also blocks the WWW subdomain. Thus you may simply add "facebook.com" and "www.facebook.com" will also be included. Prepending WWW will actually function as a subdomain-level block where a domain-level block is what is usually desired.
There is a specific order as to how categories, allow list entries, and block list entries are treated. The important rule of thumb is that the Allow List Always Wins. Below is the order of priority:
- Allow List
- Block List
- Filtering Category
- Uncategorized Domains
When a domain resolves to a CNAME record instead of an A record, the endpoint will do a second lookup for that CNAME record (and will continue doing so for any nested CNAME records). If any of the resulting CNAMEs are categorized as in a category that is blocked based on the policy's blocked categories or the policy's Block list, the block page IP will be immediately returned instead of the CNAME record's actual value. As such, in cases when attempting to allow a domain, it's also suggested to allow all of the CNAMEs in the chain as well.
CSV Upload / Download
The CSV Upload/Download feature of the Allow list/Block list allows you to upload or download a list of domain names for mass addition to your policy or for export. You can upload a list of 2000 domains at a time.
The recommended procedure for making the list is to create a simple text file, with one domain per line, and save it with the .csv file extension.
Add Notes to Allow and Block Lists
The ability to add notes to both the
Block lists is the 11th most requested feedback item in our Feature Request portal. You can now add detailed notes so that you can memorize why specific domains were added to a policy, allowing you to reference internal tickets, tools, etc.
- When navigating to the
Blocklist there is a new column called
- When adding a domain to either the
Blocklist, you will now have the ability to optionally add
Noteswithin the same pop-up.
Please note: The Notes field is not a requirement when allowing or blocking domains. There is currently a 512-character limit for notes. The CSV Import currently does not support notes. The note is specific to the action of adding a domain, not the domain itself. What this means is that, if the domain is deleted, and later added, the note would not transfer. Additionally, Notes are not viewable in other areas of the product, such as the Policy Audit Log.
Article is closed for comments.