Configure DNS Filtering rules with the Rules tab on the DNS Filtering page. Here, assign rules to a Nebula policy, select which security and content categories to block, and specify domains to allow and block. Configuring access for a domain will include its subdomains, but configuring access for a subdomain will not include the entire domain.
CAUTION - Before configuring a DNS rule, enter global exclusions for your internal domains to prevent them from being restricted. For more information, see Create global DNS Filtering exclusions in Nebula.
Setup DNS Filtering rule
- On the left navigation menu, go to Monitor > DNS Filtering.
- In the top left, select the Rules tab.
- In the top right, click Add DNS rule.
- Enter a name for the DNS Rule.
- Select one or more policies.
- Click Next to go to the Block List.
Block list
Blocked items cannot be accessed on endpoints covered by the Nebula policy and DNS filtering rule.
- Use a template to quickly apply a set of recommended content categories. Click Preview to see which content categories are included in each template or view this article, then click Apply to add them to the block list.
- Use the drop-down to block:
- Domain or subdomain: Enter specific domain or subdomains and click Add. Full URL-path blocking is not supported.
- Top level domain: Enter a top level domain such as xyz and click Add.
- Resolved IP address: Enter a specific IP address and click Add.
-
Content categories: Each domain falls into one or more content categories. Select which categories of content to block, such as advertisements or profanity and click Add.
- Blocking content categories such as Technology may cause popular business domains to be stopped mistakenly. For more information, see Technology content category
- Security categories: Security categories are pre-selected for you. For more information on each, see Security categories and determine whether any should be removed.
- Click Next to proceed to the Allow List.
Allow list
Add domains and IP addresses to the Allow list to make exceptions to the Block list.
- Enter domains, subdomains, or IP addresses to allow and click Add.
- Once complete, click Next.
- Review the rule and click Save rule once complete.
Notes
- The maximum number of DNS rules is 50.
- The allow list and block list have a limit of 4000 domains each.
- Each policy can only have one DNS rule applied.
- Add domains to the allow list of your DNS rules if you require access to a blocked domain.
- Use the Bulk upload feature to upload a .CSV file with a list of items to add to the block or allow list. Use separate CSV files for different domain types.
- If entering IP addresses, only the domains associated with the IP address are blocked or allowed.
Categories
The available security and content categories are listed below.
Security categories
These categories are already preselected when creating a DNS rule. We recommend keeping this enabled.
| Categories | Description |
|---|---|
| New Domains | Domains that have been registered very recently. |
| Newly Seen Domains | Domains that have recently been resolved for the first time. |
| Parked & For Sale Domains | Domains that are parked or for sale, these domains may be malicious. |
| Anonymizer | Sites that allow attackers to hide their IP addresses. |
| Brand Embedding | Embedding of external brand name. |
| Command and Control & Botnet | Sites that are queried by compromised devices to exfiltrate information or potentially infect other devices in a network. |
| Cryptomining | Sites that mine cryptocurrency by taking over the user's computing resources. |
| DGA Domains | Domains detected as generated by algorithms seen in malware. |
| DNS Tunneling | Domains with detected DNS tunneling activity. |
| Domain Generation Algorithm | Domains detected as generated by algorithms seen in malware. |
| Malware | Sites hosting malicious content and other compromised websites. |
| Phishing | Domains that are known for stealing personal information. |
| Private IP Address | Domains that resolve to private IP Addresses. |
| Spam | Sites that are known for targeting users with unwanted sweepstakes, surveys, and advertisements. |
| Spyware | Sites that are known to distribute or contain code that displays unwanted advertisements or gathers user information without the user's knowledge. |
Content categories
Use the Look up domain categories field next to the content categories dropdown to verify the content category of a specific domain.
| Categories | Subcategories |
|---|---|
| Adult Themes |
Adult Themes Nudity Pornography |
| Blocked | Child Abuse |
| Business & Economy |
Business Economy & Finance |
| Children's Internet Protection Act (CIPA) | Cipa Filter |
| Education |
Education Educational Institutions Science Space & Astronomy |
| Entertainment |
Arts Audio Streaming Cartoons & Anime Comic Books Entertainment Fine Art Gaming Home Video/DVD Humor Magazines Movies Music News & Media Paranormal Radio Television Video Streaming |
| Gambling | Gambling |
| Government & Politics |
Government Politics, Advocacy, and Government-Related |
| Health |
Health & Fitness Sex Education |
| Internet Communication |
Chat Forums Information Security Instant Messengers Internet Phone & VOIP Messaging P2P Personal Blogs Photo Sharing Webmail |
| Job Search & Careers | Job Search & Careers |
| Military & Weapons |
Military Weapons |
| Miscellaneous |
Miscellaneous Redirect |
| Questionable Content |
Deceptive Ads Drugs Hacking Militancy, Hate & Extremism Profanity Questionable Activities Unreliable Information |
| Real Estate | Real Estate |
| Religion | Religion |
| Safe for Kids | Safe for Kids |
| Shopping & Auctions |
Auctions & Marketplaces Coupons Ecommerce Shopping |
| Social & Family | N/A |
| Society & Lifestyle |
Abortion Arts & Crafts Astrology Body Art Clothing Dating & Relationships Digital Postcards Fashion Food & Drink Hobbies & Interests Home & Garden Jewelry LGBTQ Lifestyle Lingerie & Bikini Parenting Pets Photography Professional Networking Sexuality Social Networks Swimsuits Tobacco |
| Sports | Sports |
| Technology |
APIs Content Servers File Sharing Information Technology News, Portal & Search Search Engines Technology Translator |
| Travel | Travel |
| Vehicles | Vehicles |
| Violence |
Violence Weapons |
| Weather | Weather |
Technology content category
We advise against blocking the technology content category as most domains for e-commerce activity are included in that category. If you are blocking this category, add these to the allow list:
| Domain | Subcategories |
|---|---|
avangate.net |
Technology |
assets.adobedtm.com |
Content Servers, Technology |
www.paypalobjects.com |
Content Servers, Technology |
static.criteo.net |
Technology |
api.airbrake.io |
Technology |
www.google-analytics.com |
Technology |
clientservices.googleapis.com |
Technology |
js.authorize.net |
Technology |
google.com |
Search Engines, Technology |
www.googletagmanager.com |
Technology |
unpkg.com |
Technology |
intellimize.co |
Technology |
demandbase.com |
Technology |
www.redditstatic.com |
Technology |
Return to Nebula DNS Filtering guide.