How does Firewalla block domains?
A domain is something like "firewalla.com". Firewalla uses two methods to block domains on your network:
- Resolve the domain to IP addresses, and block the IP addresses.
- Block the DNS lookup of firewalla.com so the IP address for firewalla.com is not resolved.
When you create a rule to block a domain, Firewalla will provide you with two Block Modes:
- Default
- Multiple domains may be hosted on the same IP. Blocking one IP may block other sites.
- These blocks are immediate and will block even the video already started.
- Domain Only
- Due to how DNS entries are cached in operating systems, it may take a while for the block to be effective.
- If the traffic flow has already started, a domain-only block will not stop it (blocking YouTube, for example)
Why does blocking one domain block other domains?
Here is an example of how Default Domain Block can affect other domains. In this example, we blocked tiktokv.com (one of the video domains used by TikTok) using the Default Blocking method. This will cause slickdeals.net (a deals site) to be blocked. Here is why:
When blocking tiktokv.com using Default (IP-based) Blocking, all of the following sites will be blocked:
1) "webcast-va.tiktokv.com"
2) "api16-va.tiktokv.com"
3) "api16-core-c-useast2a.tiktokv.com"
4) "mon-va.tiktokv.com"
5) "api19-core-c-useast1a.tiktokv.com"
6) "api-va.tiktokv.com"
Now let's look at api-va.tiktokv.com
pi@firewalla:~ () $ nslookup api-va.tiktokv.com
Non-authoritative answer:
api-va.tiktokv.com canonical name = api-va.tiktokv.com.edgekey.net.
api-va.tiktokv.com.edgekey.net canonical name = e28622.a.akamaiedge.net.
Name: e28622.a.akamaiedge.net
Address: 184.50.88.73
Name: e28622.a.akamaiedge.net
Address: 184.50.88.2
api-va.tiktokv.com is associated with IP addresses 184.50.88.73 and 184.50.88.2. Under Default Blocking mode, both IP addresses are blocked. And if you look up slickdeals.net, it turns out to also resolve to 184.50.88.73.
How do I debug this issue?
The Rule Diagnostics tool helps you to look for rules that prevent your device from accessing certain sites. For example, if you're having trouble accessing slickdeals.net on your iPhone,
- Tap on Rules -> "…" in the the top right corner -> Diagnostics.
- Type in the site you can't access - "slickdeals.net"
- Select the device you are having the issue with - "Jerry-iPhone"
- Tap Diagnose
You'll find that blocking TikTok also blocks slickdeals.net.
If you see this problem, you can tap on the rule and change the blocking mode to Domain Only.
Comments
1 comment
Why when using the MSP and creating a Global Rule, it will only Domain-Only mode and not Default mode?
I have a site-2-site VPN (Wireguard) between a Purple to a Gold and route everything through my Gold.
Thanks!
Please sign in to leave a comment.