browse
Introduction
This article refers to DNS Layer Security only. SWG lists have different support levels.
When generating a destination list, it's possible you will see errors if the format of the destination is entered incorrectly. This article describes what can or cannot be in a destination list as well as providing common errors and resolutions.
A destination list is quite literally a list of internet destinations that can be blocked or allowed based on the administrative preferences for the policies applied to the identities within your organization.
A destination is currently defined as an IP, a fully qualified domain name or URLs. In upcoming releases, we will allow for the possibility of adding custom URLs to be blocked in a destination list. This article includes errors generated from incorrectly adding a URL, however this feature is currently not available for most customers and is in still in limited availability.
This article briefly outlines what is or isn't acceptable to be added to a destination list at this time and as this information changes, this article will be updated.
What you can add to a destination list
1. Fully qualified domains and subdomains. The protocol is not required (eg: no "http://" needs to be added in front front of the domain).
If you wish to block all subdomains of a domain, add the top level domain name as exampledomain.com
If you wish to only block a subdomain, add the subdomain as subdomain.exampledomain.com
2. IP addresses can be added to an Allow Destination only.
What you cannot add to a destination list
1. You cannot add wildcards. A wildcard is implicit in the way DNS is structured, so adding a domain covers all of the subdomains and there is no reason to add *.domain.com to cover this.
2. Certainly very popular domains cannot be blocked with our custom URL feature.
3. You cannot add the same destination twice in the same list.
Error Messages
The custom URL destination block lists feature enables Umbrella to extend a domain level block list to encompass full and partial URLs. In turn, this allows you to block certain portions of a website based specifically on the full or partial URL. However, there are limitations and it's possible that the configuration of your destination lists might result in error messages.
NOTE: The feature described in this article is currently not available for most customers and is in early release. For more information, please read: https://docs.umbrella.com/product/umbrella/custom-url-destination-list-how-to
For more information about guidelines that must be followed to ensure that the URL you are entering is actually the one you want blocked, see Custom URL Destination Normalization
| Message | Action | Notes |
|---|---|---|
| URLs in allow lists are not currently supported. Consider adding the domain only instead. | You'll get this error message if you add a URL to an allow list. Remove the URL and replace it with the domain for that URL. | We are considering adding custom allowed URLs in the future. Please submit a feature request if you would like to see this feature added to Umbrella. |
| Invalid Domain, Invalid URL, Invalid IP | The entry of the type entered does not match the required format. Enter the correct expected format and try again. | Double check your entry. |
| Please check to confirm that the URL was entered correctly. | There was a problem with the URL, either in the domain, path or query. Review your URL for legal characters and URL composition. Additionally, you may enter a partial URL to leverage right-side wildcarding. For more information, see Custom URL Destination List How-To. | We adhere to RFC-3986. |
| The supplied URL belongs to a domain that does not present a security concern but may impact Umbrella performance if proxied. Consider adding the domain only instead. | URL matches the high-volume domain list. Consider blocking the domain if you don't trust the destination. | High volume domains do not present a security risk themselves and do not require additional scrutiny. |
| The supplied destination matches the Umbrella global allow list and cannot be saved. | The destination matches the protected allow list. If this error is occurring on a URL, consider blocking the domain if you don't trust the destination. If you're not sure why this destination is considered protected, please contact support. | Destinations in the protected allow list either host services other than HTTP and cannot be proxied or are critical to Umbrella operations. |
|
Only ASCII characters can be used for defining URLs. or Invalid URL |
The URL contains non-ASCII characters. Try percent-encoding the URL or block the domain. | The Intelligent Proxy currently does not support non-ASCII characters. Please submit a feature request if you would like non-ASCII characters supported in Umbrella. |
| There was an issue with one or more of the destinations in the uploaded list. | This is a bulk upload error message. One or more of the URLs or domains supplied in the uploaded list match one of the error conditions above. Umbrella should provide you with a link to download a list of destinations that could not be uploaded. Please correct or remove the destinations from your bulk upload list and try again. |
Umbrella will not write uploaded destinations to the database unless all uploaded destinations can be accepted. |
| Invalid destination. | No action can be taken at this time. This is a generic error message. | The supplied destination cannot be accepted by Umbrella. You have encountered an error condition Umbrella cannot account for. Please log a case with support so that we can address this error condition. |
| CIDR is too large! The network mask must not be less than /8 (32 million IP addresses) which is the minimum number of bits allowed. Please enter a larger network mask. | Enter a smaller CIDR block. | /8 is too much for one list. |
| This destination already exists in following list | This indicates you're entering a destination that's already in the list. | Nothing to worry about, you've already performed the necessary action. |