Allow and Block Lists

Article author
Josh Lamb
  • Updated

The Allow list and Block list areas of a policy allow you to have complete control over your query traffic by defining lists of domains that you wish to allow/deny. Even Internationalized Domain Names can be blocked. Remember the rule that Allow list always wins!

cba160f-wlbl.png__999_507__2021-05-21_13-28-48.png

Domains are added to Allow list and Block list based on their Fully-Qualified Domain Name (FQDN), using the convention subdomain.example.org. Domains can be Allowed or blocked at every level of the hierarchy:

  • subdomain.example.org - Would allow/block a particular subdomain.
  • example.org - Would block an entire domain name.
  • org - Would block all .org Top-Level Domains (TLDs)

Below is a comparison between proper and improper entries.

Incorrect Correct Explanation
www.yahoo.com yahoo.com The WWW contraindicative because it is not necessary and would only block the WWW subdomain
https://facebook.com facebook.com URLs are not accepted by DNSFilter. Entries must be FQDNs
198.251.90.71 example.org IP Addresses are inadvisable because they may change and filtering would be circumvented
*.ru ru Top-level domains may be blocked simply by their name, such as "ru, cn, tr"

Allow / Block List FAQs

  • Adding a domain name, or Top-Level Domain (TLD) will block the domain and all subdomains, except for some sites in which a subdomain is classified differently by DNSFilter than the parent domain.

  • When you add a domain to a Allow list or Block list, DNSFilter automatically also blocks the WWW subdomain. Thus you may simply add "facebook.com" and "www.facebook.com" will also be included. Prepending WWW will actually function as a subdomain-level block where a domain-level block is what is usually desired.

  • There is a specific order as to how categories, allow list entries, and block list entries are treated. The important rule of thumb is that the Allow List Always Wins. Below is the order of priority:

    • Allow List
    • Block List
    • Filtering Category
    • Uncategorized Domains

  • When a domain resolves to a CNAME record instead of an A record, the endpoint will do a second lookup for that CNAME record (and will continue doing so for any nested CNAME records). If any of the resulting CNAMEs are categorized as in a category which is blocked based on the policy's blocked categories or the policy's Block list, the block page IP will be immediately returned instead of the CNAME record's actual value. As such, in cases when attempting to allow a domain, it's also suggested to allow all of the CNAMEs in the chain as well.

CSV Upload / Download

The CSV Upload/Download feature of the Allow list/Block list allow you to upload or download a list of domain names for mass addition to your policy or for export. You can upload a list of 500 domains at a time.

Filtering___DNSFilter_2021-05-21_13-41-52.png

The recommended procedure for making the list is to create a simple text file, with one domain per line and to save it as .CSV.

Was this article helpful?

1 out of 2 found this helpful

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.