In this article
Use this article to troubleshoot Filtering Policies when websites aren't loading as expected when added to the policy Allow List.
Difficulty loading complete websites is common because modern web pages pull in resources from several different domains on the web. HTML, Javascript, and CSS resources are often loaded from other domains or Content Distribution Networks (CDNs).
Sometimes, the main website is listed in the Allow list, but these other resources are not, which causes only part of the page to display. This is especially true of Social Media platforms and Streaming sites.
Use these best practices to resolve the issue. Note that these same principles apply to the opposite issue—websites added to the Block List that still partially load. Take action on the Block List instead of the Allow List in those instances.
Confirm the domain is on the Allow List
The first step is to confirm the Fully Qualified Domain Name (FQDN) of the website is on the policy Allow list. Be sure the FQDN is properly formatted, avoiding common errors like entering the full URL or IP Addresses.
Examine the DNS Query Log
Due to website resources being stored at different domains, using the DNS Query Log to fine tune the Allow List is an easy way to fix the issue. We'll use allowing access to Facebook while blocking the Social Networking category as an example.
Step one: Attempt to visit the website
It may take a long time to load, and in the end, not all of the elements may be present.
The image below is an example of what Facebook might look like as a partially loaded page:
Step two: Check the DNS Query Log
Wait about 5 minutes and refresh the DNS Query Log. Scan for facebook.com (the FQDN already on the Allow List), and near it should be other domains that are blocked.
The image below shows the issue: www.facebook.com and facebook.com are listed as Allowed, but connect.facebook.net and static.xx.fbcdn.net are Blocked by the Social Networking category.
Step three: Add blocked domains to the Allow List
Continue to test and add domains until the website functions completely as expected. Update the Allow List from the DNS Query Log Actions menu.
Optional Troubleshooting Processes
Use these additional processes before or after creating an Allow List to help capture all the necessary domains to prevent pages from not loading correctly.
Check for CNAMEs in the Domain Report tool |
CNAMEs can be categorized differently than the main domain, causing the page to not load properly. Search the FQDN with "www." in the Domain Report tool (e.g. www.facebook.com instead of facebook.com) to surface potential CNAMEs connected to the FQDN. Add the CNAMEs to the Allow List. |
Use a browser's Dev Tools to view the website sources |
Checking a website's sources surfaces similar information as the DNS Query Log, but you can use this process before ever forwarding DNS traffic to DNSFilter to prepare an Allow List.
Following the Facebook example, this image shows the same domains listed in the DNS Query Log plus additional resources that could influence the end-user experience. |
🚨 Important: Especially for Streaming or Social Networking sites, check the Dev Tool sources before and after logging in. Often websites use different resources for different page elements, e.g. login, home, marketplace, community, etc.
Related Troubleshooting
These related troubleshooting articles can help pinpoint and resolve the problem if it's determined that the issue is not due to Filtering Policies configurations:
- DNS requests time out
- Specific websites are slow or fail to load where others load without issue
- Everything except the images or ads load on the website
- Websites won't load on Apple devices or specifically in the Safari browser
Comments
0 comments
Please sign in to leave a comment.