Allow and Block Lists

Article author
Josh Lamb
  • Updated

The Allow list and Block list areas of a policy allow you to have complete control over your query traffic by defining lists of domains that you wish to allow/deny. Even Internationalized Domain Names can be blocked. Remember the rule that Allow list always wins!


Domains are added to Allow list and Block list based on their Fully-Qualified Domain Name (FQDN), using the convention Domains can be Allowed or blocked at every level of the hierarchy:

  • - Would allow/block a particular subdomain.
  • - Would block an entire domain name.
  • org - Would block all .org Top-Level Domains (TLDs)

Below is a comparison between proper and improper entries.

Incorrect Correct Explanation The WWW contraindicative because it is not necessary and would only block the WWW subdomain URLs are not accepted by DNSFilter. Entries must be FQDNs IP Addresses are inadvisable because they may change and filtering would be circumvented
*.ru ru Top-level domains may be blocked simply by their name, such as "ru, cn, tr"

Allow / Block List FAQs

  • Adding a domain name, or Top-Level Domain (TLD) will block the domain and all subdomains, except for some sites in which a subdomain is classified differently by DNSFilter than the parent domain.

  • When you add a domain to a Allow list or Block list, DNSFilter automatically also blocks the WWW subdomain. Thus you may simply add "" and "" will also be included. Prepending WWW will actually function as a subdomain-level block where a domain-level block is what is usually desired.

  • There is a specific order as to how categories, allow list entries, and block list entries are treated. The important rule of thumb is that the Allow List Always Wins. Below is the order of priority:

    • Allow List
    • Block List
    • Filtering Category
    • Uncategorized Domains
  • When a domain resolves to a CNAME record instead of an A record, the endpoint will do a second lookup for that CNAME record (and will continue doing so for any nested CNAME records). If any of the resulting CNAMEs are categorized as in a category which is blocked based on the policy's blocked categories or the policy's Block list, the block page IP will be immediately returned instead of the CNAME record's actual value. As such, in cases when attempting to allow a domain, it's also suggested to allow all of the CNAMEs in the chain as well.

CSV Upload / Download

The CSV Upload/Download feature of the Allow list/Block list allow you to upload or download a list of domain names for mass addition to your policy or for export. You can upload a list of 500 domains at a time.


The recommended procedure for making the list is to create a simple text file, with one domain per line and to save it as .CSV.

Add Notes to Allow and Block Lists

The ability to add notes to both the Allow and Block lists is the number 11th most requested feedback item in our Feature Request portal. You can now add detailed notes so that you can memorize why specific domains were added to a policy, allowing you to reference internal tickets, tools, etc.

  1. When navigating to the Allow or Block list there is a new column called Notes
    User-uploaded Image
  2. When adding a domain to either the Allow or Block list, you will now have the ability to optionally add Notes within the same pop-up.
    User-uploaded Image

Please note: The Notes field is not a requirement when allowing or blocking domains. There is currently a 512 character limit to the Notes section. The CSV Import currently does not support notes. Tool Tip is updated to include this information. The note is specific to the action, not the domain. For example, if the domain is deleted, and later added, the note would not transfer. Additionally, Notes are not viewable in other areas of the product, such as the Policy Audit Log.

Was this article helpful?

5 out of 6 found this helpful

Have more questions? Submit a request



Article is closed for comments.