When using DNSFilter, you may notice a certificate error similar to the images below when attempting to visit a blocked domain over HTTPS:
Why does this happen?
If a domain is blocked, DNSFilter responds with an IP address of our block page server. If the blocked domain was accessed via HTTPS, the browser asks for the SSL Certificate for the domain, but receives a certificate for blocked.dnsfilter.com instead. The browser recognizes this as a mismatch and thus displays an error. This effect is common among all content and security filtering solutions and is a consequence of HTTPS.
How can it be fixed?
If you manage the endpoints of the site. There are several options to easily deploy the SSL certificate. This is highly recommended because it allows your users to see the notification that a site is being blocked, instead of thinking that there is a problem with their browser or computer. Our Installing SSL Certificates article has several options to install the certificate.
If you have a site with unmanaged endpoints (Guest Wi-Fi etc.). You will likely not have the opportunity to deploy the certificate unless providing instructions and the certificate to their user base through a captive portal or provide education in some other manner. However, this SSL certificate is optional to provide the “You are blocked” notification—Blocking is active regardless of if the certificate is installed or not.