Interaction between blocked and allowed domain names

A domain name consists of multiple levels, where a dot (.) separates each level. Consider the ‘cloud.openvpn.com’ domain name:

  • .com is the top-level domain (TLD)
  • .openvpn is the second-level domain
  • cloud is the third-level or sub-domain

The domain name matching logic checks domain names from right to left, starting from the TLD. Therefore, if you are using both Block List and Allow List, be careful when you are filtering on both domain and subdomain names.

The table below shows two configurations of a domain and subdomain used in both the Allow List and Block List. The results for each configuration are different.

ConfigDomain in
Allow List
Domain in
Block List
Result
Agoogle.commail.google.comhttp://google.com ALLOWED. All subdomains are also allowed unless specifically configured in the Block List.
http://mail.google.com BLOCKED
Bmail.google.comgoogle.comhttp://google.com BLOCKED. All subdomains are also blocked unless specifically configured in the Allow List.
http://mail.google.com ALLOWED