Testing Filtering Policies
Written by Owen Parry
Updated at June 2nd, 2026
Table of Contents
Overview
How It Works
Understanding What You May See When a Domain Is Blocked
Creating a Custom Test Domain Policy
Steps
Content Categories and Definitions
Static Categories
Dynamic Filters
Privacy Domains
Advanced Use Cases
Validating CIPA Compliance Policies
Verifying Agent vs. Network-Level Filtering
Helpjuice Info Callout Title
Best Practices
Troubleshooting
Helpjuice Info Callout Title
Test domain loads normally when it should be blocked
Browser shows a security warning instead of a block page
Test domain shows a block page when it should be allowed
Behavior differs across devices or locations
Security & Sync Behavior
Related Articles
Overview
CyberFOX DNS Filter includes a built-in set of test domains that let you verify whether your filtering policies are working correctly—without visiting real-world websites. Each content category has a dedicated .test.cyberfox.com subdomain that triggers (or confirms the absence of) a block page based on your active policy configuration.
Testing is essential whenever you:
- Start a free trial and confirm that DNS resolution is pointing to CyberFOX.
- Create or modify a filtering policy and want to validate that the correct categories are blocked or allowed.
- Deploy the DNS Filter Agent to a new device or location, and confirm that it is enforcing the expected policy.
- Perform ongoing service monitoring to ensure filtering remains active and correctly applied.
Note: Test domains only validate that a category is blocked or allowed by the active policy. They do not test against live third-party websites.
How It Works
When you visit a test domain (e.g., https://ADULT_SITE_URL), the DNS Filter evaluates the request against the policy assigned to the device or network location making the request:
- If the category is blocked → You will see the CyberFOX block page, a browser security warning, or the site will fail to load—depending on HTTPS/HSTS behavior and whether the Root CA certificate is installed.
- If the category is allowed → The test page will load normally, confirming the category is not being filtered.
Important: Visual confirmation in the browser is not a reliable indicator on its own. A browser security warning (e.g., "Your connection is not private") for a blocked test domain is expected behavior for HTTPS sites and does not mean DNS Filtering has failed. Always use Query Logs or the Visibility Report in the CyberFOX Portal to confirm enforcement.
This allows administrators to quickly and safely confirm that each category is behaving as expected without exposing users to actual content.
Understanding What You May See When a Domain Is Blocked
The browser result will vary depending on HTTPS behavior and certificate trust. All of the following outcomes indicate DNS Filtering is working correctly:
| Outcome | What It Means |
|---|---|
| Block page is displayed | Expected behavior — Root CA certificate is installed and trusted on the device. |
| Browser shows a security warning (e.g., "Your connection is not private") | Expected behavior for HTTPS / HSTS sites — the domain is still blocked, but the browser cannot display the block page due to certificate enforcement. |
| Website does not load (connection error) | Expected behavior — the DNS query was blocked before the site could load. |
| Website loads normally | Not expected — the domain is not being filtered. Proceed with troubleshooting. |
For a full explanation of HTTPS/HSTS block page behavior, see: Why Block Pages Do Not Appear on Some Websites (HTTPS / HSTS)
Creating a Custom Test Domain Policy
You can also create a custom category and policy for internal testing. This is useful when you want a memorable, company-specific domain to verify that DNS resolution is correctly pointing to the CyberFOX filtering service.
Steps
- Log in to the CyberFOX Portal at https://app.cyberfox.com.
- Navigate to Policies → Categories.
- Click Add Category and name it something recognizable (e.g.,
DNS Filter Test Domain). - Add a dummy domain to the category (e.g.,
mycompanyblockedpage.com). This domain does not need to exist—it only needs to be resolvable through CyberFOX DNS. - Navigate to Policies and create or edit a policy.
- Add the new
DNS Filter Test Domaincategory to the policy and set it to Block. - Assign the policy to the location or device you want to test.
- On the target device, open a browser and navigate to
http://mycompanyblockedpage.com. - If the CyberFOX block page appears (or the site fails to load and the domain appears as blocked in Query Logs), DNS is correctly configured and the policy is being enforced.
Tip: This method is especially helpful during initial deployments, as it confirms both DNS resolution and policy assignment in a single step.
Content Categories and Definitions
The tables below list every content category available in CyberFOX DNS Filter, along with its description.
Static Categories
Static categories represent standard web content classifications. These are the primary categories used in most filtering policies.
| Category | Description |
|---|---|
| Abortion | Websites that provide information, resources, or services related to abortion, including pro-choice and pro-life perspectives, medical information, counseling services, and legal information. |
| Adult Content | Websites containing explicit adult-oriented content, including pornography, adult entertainment, adult products, and adult services. |
| Alcohol & Tobacco | Websites related to alcoholic beverages and tobacco products, including manufacturers, retailers, bars, clubs, information resources, and online stores. |
| Blogs & Personal Sites | Individual or group blogs, personal websites, and online journals covering various topics, experiences, opinions, and personal content. |
| Business | Commercial websites related to businesses, corporate entities, services, products, business-to-business services, industry information, and professional resources. |
| Dating & Personals | Websites that facilitate connections between individuals for dating, relationships, friendships, or other personal interactions. |
| Drugs | Websites containing information about recreational drugs, drug culture, drug sales, or drug paraphernalia, as well as legitimate pharmaceutical information. |
| Economy and Finance | Websites focused on economic news, financial services, banking, investments, stock markets, economic data, and personal finance management. |
| Education & Self Help | Educational resources, academic institutions, online learning platforms, self-improvement content, personal development, and educational materials. |
| Entertainment | Websites offering entertainment content, including movies, music, celebrities, arts, events, performances, pop culture, and entertainment news. |
| Food & Recipes | Websites dedicated to food, cooking, recipes, culinary arts, restaurants, food reviews, nutrition information, and dietary guidance. |
| Gambling | Websites related to gambling activities, including online casinos, sports betting, poker, lotteries, gambling news, and gambling resources. |
| Games | Websites featuring video games, online games, mobile games, game reviews, gaming communities, game development, and game-related content. |
| Government | Official government websites, public services, government agencies, political organizations, legislation information, and public policy resources. |
| Hacking & Cracking | Websites containing information about unauthorized computer access, security breaches, software cracking, hacking tools, and related activities. |
| Health | Websites providing health information, medical resources, healthcare services, wellness guidance, disease information, and health-related content. |
| Humor | Websites featuring humorous content, comedy, jokes, memes, funny videos, satire, and entertaining material designed to amuse. |
| Information Technology | Websites focused on technology, IT services, software development, hardware, IT news, tech solutions, and digital infrastructure. |
| Jobs & Careers | Websites related to employment opportunities, job listings, career development, professional networking, recruitment, and job search resources. |
| Media Sharing | Platforms for sharing various media types including photos, videos, audio files, documents, and other digital content. |
| Message Boards & Forums | Online discussion platforms where users can post messages, engage in conversations, ask questions, and interact with communities of shared interests. |
| News & Media | Websites providing news coverage, current events, journalism, media publications, and information about local, national, and global happenings. |
| P2P & Illegal | Websites related to peer-to-peer file sharing, torrents, illegal downloads, copyright infringement, and unauthorized distribution of content. |
| Real Estate | Websites related to property sales, rentals, real estate listings, real estate agencies, property management, and housing market information. |
| Religion | Websites focused on religious beliefs, practices, faith communities, religious institutions, spiritual guidance, and religious education. |
| Search Engines & Portals | Websites that enable users to search the internet, as well as web portals that aggregate content and provide multiple services from a single access point. |
| Shopping | Online retail websites, e-commerce platforms, marketplaces, and sites dedicated to selling products and services to consumers. |
| Social Networking | Platforms that enable users to connect with others, build networks, share content, and interact with friends, family, and communities. |
| Sports | Websites covering sports news, teams, events, scores, statistics, athletic activities, and sports-related content. |
| Streaming Media | Platforms that provide streaming audio, video, and multimedia content, including music, movies, TV shows, podcasts, and live streams. |
| Terrorism & Hate | Websites promoting terrorism, extremism, hate speech, violence, discrimination, and radical ideologies targeting specific groups. |
| Travel | Websites related to travel planning, destinations, accommodations, transportation, tourism, travel guides, and vacation resources. |
| Vehicles | Websites focusing on automobiles, motorcycles, boats, aircraft, and other vehicles, including sales, reviews, specifications, and enthusiast content. |
| Virtual Reality | Websites related to virtual reality technology, VR experiences, VR hardware, VR software, and immersive digital environments. |
| Weapons | Websites containing information about weapons, firearms, ammunition, weapon accessories, weapon sales, and weapon use. |
| Webmail & Chat | Websites that provide email services, chat platforms, instant messaging, and online communication tools. |
Dynamic Filters
Dynamic filters are threat-intelligence-driven categories that CyberFOX continuously updates to protect against emerging security risks. These categories are strongly recommended for all policies.
| Category | Description |
|---|---|
| Botnet | Websites associated with botnet activity, command and control servers, malicious automated networks, and botnet infrastructure. |
| Cryptomining | Websites related to cryptocurrency mining, including mining pools, mining software, mining hardware, and unauthorized cryptojacking. |
| Malware | Websites that host or distribute malicious software, including viruses, trojans, ransomware, spyware, and other harmful programs. |
| New Domains | Recently registered domain names and new websites that have not yet been categorized or have a limited history. |
| Phishing & Deception | Websites designed to deceive users and steal sensitive information, including phishing sites, fraudulent websites, scams, and social engineering attempts. |
| Proxy & Filter Avoidance | Websites that provide tools, services, or information for bypassing security measures, content filters, and access restrictions. |
| Translation | Websites offering language translation services, tools, and resources for converting text or websites from one language to another. |
| CyberFOX Labs – Security Team | Sites that the CyberFOX Security teams believe to be possibly harmful for businesses and customers. |
Privacy Domains
Privacy domain categories help administrators control tracking, advertising, and uncategorized web traffic. These filters provide an additional privacy layer beyond standard content filtering.
| Category | Description |
|---|---|
| Advertising | Websites related to online advertising, ad networks, marketing campaigns, ad technology, and advertising services. |
| Content Servers (CDNs) | Websites and servers that deliver content, including Content Delivery Networks (CDNs), static content hosts, and resource distribution systems. |
| New Domains | Recently registered domain names and new websites that have not yet been categorized or have a limited history. |
| Parked Sites & Domains | Domain names that are registered but not actively used for content, often displaying placeholder pages, ads, or domain-for-sale notices. |
| Uncategorized | Websites that have not yet been classified into specific categories or do not fit clearly into existing category definitions. |
Advanced Use Cases
Validating CIPA Compliance Policies
If your organization requires CIPA (Children's Internet Protection Act) compliance—such as schools or libraries—use the test domains for Adult Content, Gambling, Drugs, Weapons, Terrorism & Hate, and Hacking & Cracking to confirm all mandated categories are actively blocked. Remember to verify enforcement through Query Logs, not just browser output.
Verifying Agent vs. Network-Level Filtering
If you deploy both the CyberFOX DNS Agent on endpoints and network-level DNS filtering at the router/firewall:
- Test from a device with the agent installed to confirm device-level policy enforcement.
- Test from a device without the agent (but on the filtered network) to confirm network-level policy enforcement.
- Compare results to ensure there are no policy conflicts or gaps.
- Use Query Logs filtered by device or location to compare enforcement behavior side by side.
Helpjuice Info Callout Title
Helpjuice Info Callout Body
Best Practices
- Test after every policy change. Always verify your filtering policy after making modifications to ensure categories are blocked or allowed as intended.
- Use test domains instead of live sites. Test domains provide a safe, consistent way to validate filtering without exposing users to potentially harmful or inappropriate content.
- Verify through Query Logs, not just the browser. Visual confirmation in the browser is not a reliable indicator on its own. Always confirm enforcement through Query Logs or the Visibility Report in the CyberFOX Portal.
- Include test domains in your onboarding checklist. When deploying CyberFOX DNS Filter to a new site, device, or customer, include a test step using at least 2–3 test domains to confirm proper DNS configuration and policy enforcement.
- Document your test results. Keep a record of which categories were tested, from which device or location, and the result (blocked or allowed) for audit and compliance purposes.
- Enable all Dynamic Filters. Categories such as Botnet, Malware, Phishing & Deception, and Cryptomining are threat-driven and should be blocked in every policy to maintain baseline security.
- Review Privacy Domains settings. Blocking Advertising and Parked Sites & Domains can improve user experience and reduce exposure to low-quality or deceptive content.
- Set clear expectations with end users. Inform users that block pages may not appear for all blocked websites. For HTTPS/HSTS sites, a browser security warning is expected and still indicates the site is blocked.
Troubleshooting
Helpjuice Info Callout Title
Helpjuice Info Callout Body
Test domain loads normally when it should be blocked
If the test domain website loads normally (no block page, no security warning, no connection error), the domain is likely not being filtered. This indicates a configuration or DNS path issue.
- Confirm the domain is blocked in logs. Open the CyberFOX Portal and check Query Logs or the Visibility Report. If the domain does not appear as blocked, the issue is upstream of the browser.
-
Check for DNS bypass (DoH). The most common cause of sites loading when they should be blocked is Secure DNS (DNS over HTTPS) in the browser, which bypasses CyberFOX filtering entirely. Disable it in each browser:
- Chrome / Edge: Settings → Privacy and Security → Security → Use secure DNS → set to Off or With your current service provider.
-
Firefox: Settings → Network Settings → Enable DNS over HTTPS → Off (or set
about:config→network.trr.mode=5). - Safari (macOS): System Settings → Network → Details → Advanced → remove any DoH/DoT entries; confirm CyberFOX resolvers are in use.
- OS-level Secure DNS (Windows 11 / Android / iOS): Disable or ensure it uses CyberFOX profiles.
- Verify the policy assignment. Confirm the correct policy is assigned to the device or location you are testing from. Navigate to Policies in the CyberFOX Portal and check the assignment.
- Check the category status. Ensure the category is set to Block (not Allow or Log Only) in the active policy.
-
Confirm DNS is pointing to CyberFOX. Run
nslookupagainst a test domain to verify the DNS response is coming from CyberFOX resolvers:
If the response does not come from CyberFOX DNS servers, the device may be using a different DNS resolver (e.g., ISP default, Google, Cloudflare).nslookup ADULT_CONTENT_URL -
Check for DNS caching. Clear the local DNS cache on the device and try again:
-
Windows:
ipconfig /flushdns -
macOS:
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder -
Linux:
sudo systemd-resolve --flush-caches
-
Windows:
- Check for VPN or proxy interference. If the device is connected to a VPN or using a web proxy, DNS queries may bypass CyberFOX filtering entirely.
- Use the Guided Assistance Wizard. In the CyberFOX Portal, navigate to the Troubleshooting page and launch the Guided Assistance Wizard for the affected device or location. This tool walks through configuration validation step by step.
Browser shows a security warning instead of a block page
This is expected behavior for HTTPS and HSTS-enabled websites and does not indicate a failure in DNS Filtering. The domain is still being blocked before the website loads—the difference is how the browser presents the result based on certificate trust and HTTPS enforcement.
- Why this happens: DNS Filtering redirects blocked domains to a block page service. For HTTPS connections, the browser expects the certificate to match the original domain. Because the block page presents a different certificate, the browser rejects it and displays a security warning (e.g., "Your connection is not private"). HSTS enforcement makes this behavior strict and non-bypassable.
- To display block pages on HTTPS sites: Install the CyberFOX Root CA certificate on the device. If the DNS Filtering Agent is deployed, the Root CA certificate is installed automatically during agent installation. See: Installing the Root CA Certificate for HTTPS Block Pages
- Even with the Root CA installed, some sites with strict HSTS enforcement may still show a browser warning. This is by design and is a sign of correct security posture.
- Confirm enforcement through logs. If the domain appears as blocked in Query Logs or the Visibility Report, DNS Filtering is working as intended regardless of what the browser displays.
For a detailed explanation, see: Why Block Pages Do Not Appear on Some Websites (HTTPS / HSTS)
Test domain shows a block page when it should be allowed
- Check for overlapping policies. If multiple policies are assigned, a higher-priority policy may be blocking the category. Review the policy priority order in the CyberFOX Portal. See: Filtering Policies: Common Issues and Fixes
- Check Dynamic Filters. Some categories (e.g., New Domains) appear in both Dynamic Filters and Privacy Domains. Ensure you are checking the correct filter group.
- Review Domain Overrides. A domain override may be applying a block rule that supersedes the policy category setting.
Behavior differs across devices or locations
- Validate deployment type. Distinguish between location-based filtering (router/firewall/DHCP) and roaming device filtering (agent or DoH profile). These use different DNS paths and policies may differ.
- Check agent status. For roaming devices, confirm the agent is running, check its last check-in time, and verify the assigned policy in the Portal's Troubleshooting page.
- Test across conditions. Try a different browser, a different device, and compare HTTP vs. HTTPS behavior to isolate the variable.
Security & Sync Behavior
- Policy changes propagate in near real time. After saving a policy change in the CyberFOX Portal, allow up to 60 seconds for the change to take effect across all assigned devices and locations.
- Agent-based enforcement takes priority. When the CyberFOX DNS Agent is installed on a device, the agent-level policy overrides any network-level DNS filtering policy for that device.
- Dynamic Filter categories are updated continuously. The threat intelligence behind Botnet, Malware, Phishing & Deception, and other dynamic categories is updated in real time by the CyberFOX security team. Test domains for these categories confirm whether the filter type is enabled, not whether a specific real-world threat is blocked.
- DNS Filtering does not decrypt HTTPS traffic. CyberFOX DNS Filtering operates as a non-intercepting security control at the DNS layer. It does not perform SSL inspection, impersonate destination certificates, or introduce man-in-the-middle behavior. This aligns with modern security principles and avoids weakening encryption protections.
Related Articles
- Quickstart Guide
- Creating Custom Categories
- Creating Custom Policies
- Configuring Block Pages
- Installing the Root CA Certificate for HTTPS Block Pages
- Why Block Pages Do Not Appear on Some Websites (HTTPS / HSTS)
- Configuring Domain Overrides
- Filtering Policies: Common Issues and Fixes
- DNS Filtering Troubleshooting Guide
- Query Logs: Viewing and Filtering DNS Requests
- DNS Filtering: Using the Visibility Report