In this article
This article covers the what, why, and how of Allow and Block lists, the section of Filtering Policies to customize what end-users can/can't access.
Use Allow and Block lists to completely control query traffic by defining lists of domains to allow or deny in your organization's environment. Even Internationalized Domain Names can be added, making these lists a key component to your network's security.
Review the Filtering Policy hierarchy before creating Allow/Block lists to make sure the policy configuration meets your desired outcomes.
Allow/Block List entry format
Add up to 15,000 domains to the Allow list and Block list based on their Fully-Qualified Domain Name (FQDN), using the convention subdomain.example.org. Domains can be allowed or blocked at every level of the hierarchy:
subdomain.example.org | Allows/Blocks a particular subdomain |
example.org | Allows/Blocks an entire domain name |
org | Allows/Blocks all .org Top-Level Domains (TLDs) |
Failure to follow this format can result in network error messages or the domains not being allowed/blocked by the policy.
FQDN formatting basics
Correct Format | Incorrect Format | Details |
✅ yahoo.com | ❌ www.yahoo.com | DNSFilter automatically also blocks the WWW subdomain. Thus, add yahoo.com to the list and www.yahoo.com will also be included. Prepending WWW will actually function as a subdomain-level block, where a domain-level block is what is usually desired |
✅ facebook.com | ❌ https://facebook.com | URLs are not accepted by DNSFilter. Entries must be FQDNs |
✅ example.org | ❌ 198.251.90.71 | IP Addresses are inadvisable because they may change and filtering would be circumvented |
✅ ru |
❌ *.ru | Block TLDs by their name, e.g. ru, cn, tr 🚨 Important: Do not add the "." to TLD entries. This will cause an error |
✅ ingest.sentry.io |
❌ %2a.ingest.sentry.io | Avoid special characters at the beginning or end of the FQDN |
Allow/Block list formatting scenarios
How do I? | Description |
Allow/Block all subdomains of a website | Add the domain name or TLD to the Allow/Block list. This will allow/block all subdomains, except for some websites in which a subdomain is classified differently by DNSFilter than the parent domain. |
Allow/Block CNAME records | Add all the CNAMEs in the chain to the Allow or Block list, or allow/block the associated category in the Filtering Policy. |
Fix an error message | An error message typically means one of two things happened: an entry was added in an incorrect format, or an entry was added to multiple lists, e.g. the Universal Allow list and an organization's Block list. See our troubleshooting articles for assistance if you receive a network error or duplicate entry error message while updating these lists. |
Add to Allow or Block Lists
Upload entries to the Allow/Block list in 3 different ways:
Add an individual entry
Add entries one at a time when including a note or completing quick requests to modify access.
- From the DNSFilter dashboard, navigate to Policies and select Filtering
- Select the Policy to edit, or select Add to create a new policy
- Tab to Allow List or Block List
- Select Add Domain
- Enter the FQDN
- Add a note (if applicable)
- Select Save
The domain will populate on the list and apply to the policy.
List Entry Notes Details
The Notes field is useful to add detailed notes about why specific domains were added to a policy, e.g internal ticket request, tools/software-related domain, etc.
There is a 512-character limit for notes, and it is an optional field that cannot be edited. Delete and re-add the entry to edit a note.
The note is not linked to the domain itself, which means that if a domain is deleted from a list and later re-added, the note will not re-populate.
Notes do not appear in other areas of the app, such as the DNS Query Log or Policy Audit Log.
CSV imports do not support notes.
Import a .CSV list
Add list entries in bulk (up to 2,000 entries at a time) with the Import CSV button.
- Create a list of the domains to allow/block as a simple text file in a program like Google Sheets or Microsoft Excel, entering one domain per line
- Save the file as .CSV
- Navigate to the DNSFilter dashboard and select Policies > Filtering
- Select the Policy to edit, or select Add to create a new policy
- Tab to Allow List or Block List
- Select Import CSV
- Select the .csv file
- Select Open
The domains will populate on the list and apply to the policy.
Export Allow or Block Lists
Export a .csv file of the full Allow or Block domain list of any Filtering Policy from the dashboard. Notes and Categories are not included in this download.
- Navigate to the policy's Allow List or Block List
- Select Export CSV
The file will download to the local device.
Comments
0 comments
Please sign in to leave a comment.