Sorting out various domain related defenses

I started off with content blocking, blocking an advertising website, lets call it bad.com.

Then, it turns out that a streaming service on a Roku box will not run without being able to show ads from xyz.bad.com. So, I created a Local DNS record for xyz.bad.com and that allowed the streaming service to show its ads while blocking all the other sub-domains of bad.com. Worked fine.

But, I don’t want every device to be able to access xyz.bad.com, I only want the Roku box to get to it.

So, I need a firewall rule based on domain name. And, thus, my question.

Clearly the Local DNS record was evaluated by the router before the content blocking rule. What is the hierarchy here? Are domain based firewall rules evaluated before Local DNS records? After content blocking? In the middle?

Thanks in advance.

I suggest using the Exempted Subnets. You may exempt the IP of Roku box while blocking the bad.com.

We have a database to block the URL based on the category you choose.

1 Like

That would exempt the Roku from all web blocking which is not what I want to do.

pi-hole?

Would it work to have one fw rule allowing the Roku IP address as source and xyz.bad.com as destination followed by a rule of deny all for bad.com?

Yes it would. And that is exactly what I intend to do, but the question was a general one.

If there are differing rules/specifications for a given domain/subdomain using Local DNS records, content blocking and a firewall rule, which is evaluated first, second and third?

1 Like

Next up, I removed the Local DNS records.
Content blocking is used for bad.com.
A firewall rule lets the Roku box get at xyz.bad.com.
The next firewall rule blocks everyone from xyz.bad.com.
The streaming service works under these conditions.

Lesson: firewall rules are evaluated before Content Blocking. If Content Blocking had been evaluated first, the Roku box would been blocked from xyz.bad.com.

So, Content Blocking is evaluated after both Local DNS and firewall rules based on a domain name. Don’t know which is first.

1 Like

I just upgraded from a Surf SOHO to a B One. The behavior you described is what I remember seeing in the past, but is not what I’m seeing now.

If I start by adding a couple of outbound firewall rules to block vimeo.com and vimeocdn.com on a specific LAN, I can’t browse Vimeo on that LAN. If I then add those domains to the “Exempted Domains from Web Blocking,” I am able to browse Vimeo.

Correction: I also had the Audio-Video category checked in Web Blocking, and apparently that is what was blocking Vimeo, not the firewall rules. The firewall rules do not seem to have any effect for this site. Sorry for the noise.

Correction 2: I found a typo in an earlier rule that crept in during the manual field-by-field reconfiguration of my B One. I have no more reason to doubt that filter evaluation works the same as it did in the past.