Gateway DNS Bug? is being blocked. works fine.

I have created a Custom Allow rule for and it’s still being blocked:

1 Like

The domain resolves using your DoH subdomain and no queries for that domain today other than my test in your logs both of which return an Allow decision. However the target of that record is blocked and so there may be scenarios where the lookup of that target fails as its TTL is shorter than the original record queried. When that happens the explicit query for the blocked record will fail.


I’m not using DoH. I’m using IPv4 DNS.

What is the “target of that record?”

1 Like

Every location has a DoH subdomain associated with it and that is what I used to test.

curl -H 'accept: application/dns-json' '

If you’re going to set a super restrictive DNS policy it’s useful to be able to understand/troubleshoot how and why a request might fail. DNS can be devilishly complex. You can run the previous command or use another tool to determine the target in this instance.

1 Like

You mean the CNAME record ( correct?

When a DNS resolver encounters a CNAME record while looking for a regular resource record, it will restart the query using the canonical name instead of the original name.

If CNAME will always be used in place of the original name, why does have both A and CNAME records?

1 Like is a CNAME record. It points to A records. Ultimately for the simplified purposes of this example the query for a DNS record needs to resolve to an IP address to determine where traffic is supposed to be routed. Any CNAME is ultimately going to resolve to an A record as A records map a host name to an IP address.

Each record has its own associated TTL and the DNS resolver keeps track of record → value for the associated TTL. When a record expires* it queries again to determine the current value(s) for the record.

DNS is simple until it isn’t; the number of corner cases and unexpected or unintended consequences to resolution with a broad number of record types and varied implementations of standards by application and OS is non-trivial.

* nothing in DNS is quite that simple, but close enough for this example.

1 Like

Here’s another one: is being blocked even though I have created a Custom Allow for

The CNAME record for URI is:

which is listed as Technology so I don’t understand why it’s blocked. is a URI that is being blocked that doesn’t have a CNAME record.

If I create a Block of the io TLD and create an Allow of, shouldn’t every subdomain of be Allowed?

All of your requests for that domain which up until and including 16:03:32 CST were blocked. After that all requests were allowed. So, working as expected?

Where is that blocked? In the last 24 hours your logs show 0 instances of that hostname being blocked. How have you determined that CNAME target is being blocked?

Ya, something is squirrely. and were both being blocked even though I had created an Allow rule for

I created an Allow rule for each subdomain and the requests were no longer blocked. I removed the subdomain Allow rules and the requests are no longer blocked…

I’ve had a rule permitting for at least two weeks. and were blocked regardless. This evening I made a non-related modification to my policy and and are now being allowed…until Gateway decides to inexplicably start blocking them again. is still being blocked so I created a DNS (New) rule to allow and deleted the legacy rule.

Will report back.

It appears the legacy DNS Custom policies are buggy: CNAME to

so I created an allow for but resolution is still blocked:


If I create an analogous allow policy in DNS (NEW), everything works fine.