Why are sub domains blocked when the primary domain is listed as unblocked

kaziganthi · ‎10-13-2017

I am having issues with sub domains being blocked even though I specifically listed the root domain as Never Block. In my specific circumstance, I have blocked Chat, but I need Google's myriad of services specifically to not be blocked. Google has many sub domains that are used, but even though google.com is listed as Never Block, plus.google.com and mtalk.google.com are getting blocked.

Is there something I'm doing wrong? Other articles I have looked at say listing the Root Domain as Never Block should leave the Sub Domains unblocked, but it doesn't seem to be working.

I tried adding *.google.com, but that fails to add. Is there a different character that I should be using as a wildcard?

mattwilson9090 · ‎10-14-2017

Both plus.google.com and mtalk.google.com are categorized as Chat. Since you said you are blocking chat, that is the reason they are blocked.

It's true that if you whitelist a domain, that whitelisting applies to all subdomains UNLESS you also have the subdomain explicitly blacklisted or blocked via category.

Wildcards do not work and are not necessary in OpenDNS since *.google.com is the same thing as google.com for domain filtering purposes.

You aren't actually doing anything wrong (other than the wildcard), you just didn't have a full understanding of how things work, and it's not aided by Google having such a complex (and opaque) way of using their domains. Always remember, if something is being blocked and you don't understand why, your Logs & Stats on your Dashboard is always the first place to look. That will give you a place to start by showing the domain that is blocked, and in most case the category that blocked it.

kaziganthi · ‎10-14-2017

This seems like a flawed in the design. If I wanted to block Chat and leave it at that, I would not explicitly try to add google.com to my Always Allow list. They statement for Always Block or Always Allow states that it Overrides any of your Category settings. If your Override is not respected because of a Category Block because it is a Sub Domain of a Domain that is explicitly set to Always Allow, this isn't operating as is stated on the page.

If this is the way OpenDNS is handling Sub Domains, then there should be an additional checkbox in Always Allow to Allow Sub Domains even if they are blocked by Categories.

Why would I want an option to Always Allow if I have to go through every Sub Domain because the Root Domain is not blocked but one or more Sub Domains is?

rotblitz · ‎10-14-2017

Let's unmystify your mystery. Copy & paste the complete plain text outputs of the following diagnostic commands to here, and I can tell you more.

nslookup -type=txt debug.opendns.com.
nslookup plus.google.com.
nslookup mtalk.google.com.