Articles in this section

See more

Allow/Blocking a Site (Best Practice)

Avatar
Christopher Stewart
  • Updated
Follow

A common issue with blocking/allowing access to a site (www.example.newsite.com) is the underlying domains that need to be accounted for.

If you wanted to block/allow www.sfgate.com for instance, it would be great to just put sfgate.com in a list.

Unfortunately, it's not that simple. If we do a packet capture on the DNS calls involved with bringing up www.sfgate.com, we would see the following DNS records needed to completely render the site: 

fls.doubleclick.net
s.meebocdn.net
ww1.hdnux.com
ww2.hdnux.com
ww3.hdnux.com
ww4.hdnux.com
www.sfgate.com
www.zvents.com
ssl.gstatic.com

Some of the content provided by most websites is driven from sites in a category you might have blocked. When that happens, elements of the page won't load properly, or there will be no formatting.

An easy way to find the domains required is to use Google Chrome's DNS prefetch tool which logs your queries.

More detailed information about the feature is available here -> http://www.chromium.org/developers/design-documents/dns-prefetching

Once the feature is turned on in your browser (it's most likely on for you right now), you can visit the site you want to collect information about.

After the site has completely rendered (all elements are downloaded), you can enter the following into the URL bar in the browser:

chrome://predictors

Now use CTRL-F to find the domain you are looking for.  I've used www.bostonglobe.com as an example.

bostonglobe.jpg

 

These entries would be required in order to Allow this site to render completely:

 

bostonglobe.com
c.o0bg.com
cdn.insights.gravity.com
metrics.boston.com
ping.chartbeat.net
rma-api.gravity.com
rmedia.boston.com
static.chartbeat.com
apis.google.com
ssl.gstatic.com

 

This issue is very prevalent in allow-only mode, or policies that make heavy use of content filtering.  It takes a bit of work to get access just right if everything is being blocked.  

Other methods of identifying these domains include packet captures (collected by tools such as Wireshark), collecting HAR files, or using websites such as webpagetest.org.

Related articles

Comments

0 comments

Article is closed for comments.