Sorting out various domain related defenses

I started off with content blocking, blocking an advertising website, lets call it

Then, it turns out that a streaming service on a Roku box will not run without being able to show ads from So, I created a Local DNS record for and that allowed the streaming service to show its ads while blocking all the other sub-domains of Worked fine.

But, I don’t want every device to be able to access, I only want the Roku box to get to it.

So, I need a firewall rule based on domain name. And, thus, my question.

Clearly the Local DNS record was evaluated by the router before the content blocking rule. What is the hierarchy here? Are domain based firewall rules evaluated before Local DNS records? After content blocking? In the middle?

Thanks in advance.

I suggest using the Exempted Subnets. You may exempt the IP of Roku box while blocking the

We have a database to block the URL based on the category you choose.

1 Like

That would exempt the Roku from all web blocking which is not what I want to do.


Would it work to have one fw rule allowing the Roku IP address as source and as destination followed by a rule of deny all for

Yes it would. And that is exactly what I intend to do, but the question was a general one.

If there are differing rules/specifications for a given domain/subdomain using Local DNS records, content blocking and a firewall rule, which is evaluated first, second and third?

1 Like

Next up, I removed the Local DNS records.
Content blocking is used for
A firewall rule lets the Roku box get at
The next firewall rule blocks everyone from
The streaming service works under these conditions.

Lesson: firewall rules are evaluated before Content Blocking. If Content Blocking had been evaluated first, the Roku box would been blocked from

So, Content Blocking is evaluated after both Local DNS and firewall rules based on a domain name. Don’t know which is first.

1 Like