I started off with content blocking, blocking an advertising website, lets call it bad.com.
Then, it turns out that a streaming service on a Roku box will not run without being able to show ads from xyz.bad.com. So, I created a Local DNS record for xyz.bad.com and that allowed the streaming service to show its ads while blocking all the other sub-domains of bad.com. Worked fine.
But, I don’t want every device to be able to access xyz.bad.com, I only want the Roku box to get to it.
So, I need a firewall rule based on domain name. And, thus, my question.
Clearly the Local DNS record was evaluated by the router before the content blocking rule. What is the hierarchy here? Are domain based firewall rules evaluated before Local DNS records? After content blocking? In the middle?
Thanks in advance.
I suggest using the Exempted Subnets. You may exempt the IP of Roku box while blocking the bad.com.
We have a database to block the URL based on the category you choose.
1 Like
That would exempt the Roku from all web blocking which is not what I want to do.
Would it work to have one fw rule allowing the Roku IP address as source and xyz.bad.com as destination followed by a rule of deny all for bad.com?
Yes it would. And that is exactly what I intend to do, but the question was a general one.
If there are differing rules/specifications for a given domain/subdomain using Local DNS records, content blocking and a firewall rule, which is evaluated first, second and third?
1 Like
Next up, I removed the Local DNS records.
Content blocking is used for bad.com.
A firewall rule lets the Roku box get at xyz.bad.com.
The next firewall rule blocks everyone from xyz.bad.com.
The streaming service works under these conditions.
Lesson: firewall rules are evaluated before Content Blocking. If Content Blocking had been evaluated first, the Roku box would been blocked from xyz.bad.com.
So, Content Blocking is evaluated after both Local DNS and firewall rules based on a domain name. Don’t know which is first.
1 Like
