Products Firewalla Gold Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Blue Plus Firewalla Wi-Fi SD Product Comparison Product Reviews

Articles in this section

See more

How does Firewalla block domains? and why blocking domains may block other domains?

Avatar
Firewalla
  • Updated
Follow

How does Firewalla block domains?

A domain is something like "firewalla.com".  Firewalla uses two methods to block such a domain on your network:

  1. Resolve the domain to IP addresses, and block the IP addresses.
  2. Block the DNS lookup of firewalla.com so the IP address for firewalla.com is not resolved.

When you create a rule to block a domain, Firewalla will provide you with two types of Block Mode underneath:

Default 

  • Multiple domains may be hosted on the same IP,  blocking one IP may block other sites 
  • These blocks are immediate and will block even the video already started.

Domain Only

  • Due to how DNS entries are cached in the operating systems, it may take a while for the block to be effective.  
  • If the stream already started, there no way to stop it. (blocking youtube app for example)

IMG_6552.PNG     IMG_6553.PNG

 

 

Why blocking one domain may block other domains?

Here is an example of how Firewalla Default Domain Block can affect other domains. In this example, we blocked tiktokv.com (one of the video domains used by TikTok) using the Default Blocking method, and this will cause slickdeals.net (a deals site) to be blocked. Here is why:

When blocking tiktokv.com using Default (IP-based) Blocking, all of the following sites will be blocked:

 1) "webcast-va.tiktokv.com"
 2) "api16-va.tiktokv.com"
 3) "api16-core-c-useast2a.tiktokv.com"
 4) "mon-va.tiktokv.com"
 5) "api19-core-c-useast1a.tiktokv.com"
 6) "api-va.tiktokv.com"

 

 Now let's look at api-va.tiktokv.com

pi@firewalla:~ () $ nslookup api-va.tiktokv.com
Non-authoritative answer:
api-va.tiktokv.com      canonical name = api-va.tiktokv.com.edgekey.net.
api-va.tiktokv.com.edgekey.net  canonical name = e28622.a.akamaiedge.net.
Name:   e28622.a.akamaiedge.net
Address: 184.50.88.73
Name:   e28622.a.akamaiedge.net
Address: 184.50.88.2

 

api-va.tiktokv.com is associated with IP addresses 184.50.88.73 and 184.50.88.2, and under the Default Blocking mode, both IP addresses are blocked. And if you do domain lookup of slickdeals.net, it turns out to be also 184.50.88.73.

 

How to debug this issue?

The Rule Diagnostic tool helps you to look for rules that block your device from accessing certain sites. 

For example, if you are having trouble accessing site "slickdeals.net" on your iPhone, 

  • Tap on Rules  -> the top right corner "…" -> Diagnostics. 
  • Type in the site you can't access - "slickdeals.net"
  • Select the device you are having the issue with - "Jerry-iPhone"
  • Diagnose

Here you will find, blocking TikTok also blocks slickdeals.net

If you see problems like this happening, you can tap on this rule and change the blocking mode to "Domain Only".

IMG_59A614DFEF2D-2.jpeg      IMG_6517.PNG

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.