How does Firewalla block domains? Why does blocking domains block other domains?

How does Firewalla block domains?

A domain is something like "firewalla.com". Firewalla uses two methods to block domains on your network:

1. Resolve the domain to IP addresses, and block the IP addresses.
2. Block the DNS lookup of firewalla.com so the IP address for firewalla.com is not resolved.

When you create a rule to block a domain, Firewalla will provide you with two Block Modes:

Default 

• Multiple domains may be hosted on the same IP. Blocking one IP may block other sites.
• These blocks are immediate and will block even the video already started.

Domain Only

• Due to how DNS entries are cached in operating systems, it may take a while for the block to be effective.  
• If the traffic flow has already started, a domain-only block will not stop it (blocking YouTube, for example)

Why does blocking one domain block other domains?

Here is an example of how Firewalla Default Domain Block can affect other domains. In this example, we blocked tiktokv.com (one of the video domains used by TikTok) using the Default Blocking method. This will cause slickdeals.net (a deals site) to be blocked. Here is why:

When blocking tiktokv.com using Default (IP-based) Blocking, all of the following sites will be blocked:

 1) "webcast-va.tiktokv.com"
 2) "api16-va.tiktokv.com"
 3) "api16-core-c-useast2a.tiktokv.com"
 4) "mon-va.tiktokv.com"
 5) "api19-core-c-useast1a.tiktokv.com"
 6) "api-va.tiktokv.com"

 Now let's look at api-va.tiktokv.com

pi@firewalla:~ () $ nslookup api-va.tiktokv.com
Non-authoritative answer:
api-va.tiktokv.com      canonical name = api-va.tiktokv.com.edgekey.net.
api-va.tiktokv.com.edgekey.net  canonical name = e28622.a.akamaiedge.net.
Name:   e28622.a.akamaiedge.net
Address: 184.50.88.73
Name:   e28622.a.akamaiedge.net
Address: 184.50.88.2

api-va.tiktokv.com is associated with IP addresses 184.50.88.73 and 184.50.88.2, and under the Default Blocking mode, both IP addresses are blocked. And if you do domain lookup of slickdeals.net, it turns out to be also 184.50.88.73.

How do I debug this issue?

The Rule Diagnostic tool helps you to look for rules that block your device from accessing certain sites. 

For example, if you are having trouble accessing site "slickdeals.net" on your iPhone, 

• Tap on Rules  -> the top right corner "…" -> Diagnostics. 
• Type in the site you can't access - "slickdeals.net"
• Select the device you are having the issue with - "Jerry-iPhone"
• Diagnose

Here you will find, blocking TikTok also blocks slickdeals.net

If you see problems like this happening, you can tap on this rule and change the blocking mode to "Domain Only".