Threater Enforce's use of Domain Lists is to intercept DNS requests to look up a domain name. This does not block IPs or stop IP connections from going through. It is important to note when encrypted DNS is enabled, Enforce is unable to see the domain name in the DNS request. As a result, Enforce is unable to allow or deny any Domains when encrypted DNS is enabled.
As networking technologies have shifted in recent years, it has become more difficult to leverage Domain Allow and Block lists effectively. For allowing or blocking a specific site or service, we recommend the use of IP Allow and Block Lists.
Domain Block Lists
Once a domain has been looked up, if the domain is not on a block list, it allows the DNS request to proceed to the original destination server. If the domain is on a block list, then Enforce will return a non-existent (NX) domain response to the user to prevent their application from continuing to connect to the blocked domain.
If you add the domain to a block list and that DNS request has already been cached by an internal DNS server, then Enforce will not see the outbound DNS request as it is being handled by the internal server. When adding a domain to a block list, it is recommended to flush the cache on the internal DNS server.
Domain Allow Lists
Domain Allow Lists are used to override blocks that may have occurred due to a domain being on a Domain Block List. As Enforce does not perform a namespace lookup, and as IP connections are not blocked or stopped by domain blocking, a Domain Allow List entry will not allow an IP that has been identified by an IP Threat List or Block List.