Why Block Pages Do Not Appear on Some Websites (HTTPS / HSTS)
Why users may see certificate warnings instead of a block page and how modern browser security impacts DNS filtering behavior
Written by Owen Parry
Updated at May 15th, 2026
Table of Contents
Overview
DNS Filtering block pages provide a user-facing notification when access to a domain is restricted. However, modern web security standards—specifically HTTPS and HSTS (HTTP Strict Transport Security)—can prevent block pages from displaying as expected.
When this occurs, users may see browser security warnings instead of a block page. This behavior is not a failure of DNS Filtering, but an expected outcome of how browsers enforce secure connections. Understanding this interaction is critical for troubleshooting, user education, and setting accurate expectations.
Important
If a blocked site uses HTTPS with HSTS, a block page may not appear.
This does not mean DNS Filtering failed — the connection is still blocked, but the browser replaces the experience with a security warning.
What the Feature Is
DNS Filtering Block Page Functionality
DNS Filtering enforces policies by returning a controlled response for blocked domains. Instead of resolving to the intended destination, the request is redirected to a block page that:
- Explains why access is blocked
- Provides visibility into filtering decisions
- Supports reporting and audit requirements
How Block Pages Are Delivered
The block page relies on a redirect-based approach:
- DNS response points the domain to a block page service
- The browser is redirected to a different endpoint
- The block page server presents its own SSL certificate
This works reliably for HTTP traffic, but introduces limitations when HTTPS is enforced.
HTTPS / HSTS Behavior Impact
What is HTTPS and HSTS
The following video explains how HSTS works at the browser level and why security warnings cannot be bypassed.
- HTTPS ensures encrypted communication between the browser and the destination
-
HSTS forces browsers to:
- Only use HTTPS
- Reject invalid certificates
- Prevent users from bypassing security warnings
Once a domain is under HSTS enforcement, the browser requires a strict certificate match.
Why Block Pages Fail for HSTS Sites
Technical Insight:
Browsers validate that the certificate presented matches the exact domain being requested.
When DNS Filtering redirects to a block page, the certificate does not match the original site — triggering a security warning.
Block pages depend on redirecting users to a different domain. This creates a conflict:
- The browser expects the original site's certificate
- The block page presents a different certificate
- HSTS blocks the connection due to mismatch
From the browser’s perspective, this resembles a man-in-the-middle scenario, which it is specifically designed to prevent.
Expected User Experience
When visiting blocked HTTPS or HSTS-enabled sites, users may see:
- “Connection is not private”
- Certificate validation errors
- Security warnings with no bypass option
This is expected behavior and indicates that the block is working, even if the visual experience differs.
Platform-Specific Behavior
DNS Filtering Architecture
- DNS resolver and block page services operate independently
- DNS enforces the block
- Block page attempts to provide user feedback
Browser Behavior (All Platforms)
All modern browsers enforce HTTPS and HSTS consistently:
- Chrome, Edge, Firefox, Safari
- Windows, macOS, iOS, Android
Key behaviors include:
- Rejecting certificate mismatches
- Preventing bypass of security warnings
- Caching HSTS policies per domain
Important Platform Notes
- Mobile devices often enforce stricter certificate handling
- Cached HSTS policies persist across sessions
- Private browsing may still honor HSTS rules
Advanced Use Cases
Architecture Limitation
DNS-based filtering operates without decrypting HTTPS traffic.
Because encrypted connections cannot be modified safely, block page redirects may not be deliverable for secure (HSTS) sites.
Security-First Environments
In compliance-driven environments (CMMC, SOC2, etc.):
- HSTS enforcement is intentional and desirable
- Browser blocking is a sign of correct security posture
- The absence of a block page does not indicate failure
DNS Filtering Without SSL Inspection
DNS Filtering operates without decrypting HTTPS traffic:
- Does not intercept or inspect encrypted content
- Does not replace certificates
- Relies on DNS-layer enforcement only
This avoids:
- Privacy concerns
- Certificate deployment complexity
- Performance overhead
When Block Pages Fully Work
Block pages display reliably when:
- The site uses HTTP
- HTTPS is used but not strictly enforced
- The browser allows certificate substitution (non-HSTS)
Best Practices
Set Clear Expectations
- Inform users that block pages may not appear for all websites
- Document this behavior in onboarding and training materials
- Provide examples of expected browser warnings
Focus on Logging and Reporting
- Use DNS Filtering logs to confirm enforcement
- Do not rely solely on visual confirmation
- Train support teams to validate blocks via reporting tools
Operational Readiness
- Prepare support teams to recognize HSTS-related behavior
- Include KB references in onboarding and welcome emails
- Avoid unnecessary escalation for expected browser warnings
Troubleshooting
Step 1: Identify the Protocol
- Determine if the domain uses HTTP or HTTPS
- Check if HSTS is enforced (developer tools or headers)
Step 2: Confirm Filtering Behavior
- Verify the domain is categorized and blocked
- Check DNS logs for enforcement confirmation
Step 3: Analyze the Error
- Certificate warning → Expected HSTS behavior
- 502 error → Resolver-related issue
- 504 error → Block page service issue
Expected Behavior Check
If you see a certificate warning on a blocked HTTPS site:
- The domain is still blocked
- DNS Filtering is working as intended
- The browser is enforcing security protections
Step 4: Clear Cached Data
- Clear browser cache
- Clear HSTS cache (browser-specific steps)
Note on Browser Caching:
HSTS policies are stored locally by the browser. Even after changing DNS or policies, behavior may persist until the cache is cleared.
Step 5: Validate Service Health
- Confirm resolver is operational
- Confirm block page service is reachable
Step 6: Test Across Conditions
- Different browser
- Different device
- HTTP vs HTTPS version of the site
Security & Sync Behavior
Security Model
DNS Filtering operates as a non-intercepting security control:
- Does not decrypt HTTPS traffic
- Does not impersonate destination certificates
- Does not introduce MITM behavior
This aligns with modern security principles and avoids weakening encryption protections.
Why Browsers Block the Page
Browsers enforce strict rules to:
- Prevent interception of encrypted traffic
- Block invalid or mismatched certificates
- Protect users from credential theft and spoofing
Because block pages rely on redirection, they can conflict with these protections.
Caching and Persistence
- HSTS policies are cached per domain
- Changes to filtering may not reflect immediately
- Cache clearing may be required during testing
Related Articles
- DNS Filtering Overview: https://support.cyberfox.com/en_US/dns
- DNS Filtering Policy Configuration: https://support.cyberfox.com/en_US/dns-policy
- DNS Filtering Troubleshooting: https://support.cyberfox.com/en_US/dns-troubleshooting
- DNS Filtering Block Page Customization: https://support.cyberfox.com/en_US/dns-blockpage