Skip to main content

Interaction between blocked and allowed domain names

A domain name consists of multiple levels, where a dot (.) separates each level. Consider the ‘’ domain name:

  • .com is the top-level domain (TLD)

  • .openvpn is the second-level domain

  • cloud is the third-level or sub-domain

The domain name matching logic checks domain names from right to left, starting from the TLD. Therefore, if you are using both Block List and Allow List, be careful when you are filtering on both domain and subdomain names.

The table below shows two configurations of a domain and subdomain used in both the Allow List and Block List. The results for each configuration are different.


Domain in

Allow List

Domain in

Block List


A ALLOWED. All subdomains are also allowed unless specifically configured in the Block List BLOCKED

B BLOCKED. All subdomains are also blocked unless specifically configured in the Allow List ALLOWED