Blocklists & Filtering
VeloGuardian DNS uses a layered filtering system: blocklists provide domain lists, categories organize them, profiles define what to block for each client, and rules override everything.
How filtering works
Section titled “How filtering works”When a DNS query arrives:
- Local DNS records are checked first (always takes priority)
- Allow rules in the client’s profile are checked — if the domain is allowed, it passes through
- The domain is looked up in the filter index (built from all enabled blocklists)
- If found, the domain’s categories are compared against the client’s profile’s blocked categories
- Deny rules force a block regardless of category matching
- If not blocked, the query goes to the upstream DNS server
Blocklists
Section titled “Blocklists”Blocklists are external domain lists that the appliance downloads and indexes. Manage them from Filtering > Blocklists in the sidebar.
Built-in blocklists
Section titled “Built-in blocklists”| Blocklist | Focus | Format |
|---|---|---|
| Steven Black Unified | Ads, trackers, malware, fakenews | hosts |
| OISD Small | Ads, tracking, telemetry | domains |
| Phishing Army Extended | Phishing domains | domains |
| URLhaus Malware Filter | Active malware distribution | domains |
Adding a blocklist
Section titled “Adding a blocklist”Click Add Blocklist and fill in:
| Field | Description |
|---|---|
| Name | Display name for the blocklist |
| URL | Direct download URL for the list file |
| Format | hosts (IP + domain pairs), domains (one per line), or adblock (Adblock Plus syntax) |
| Categories | Which filtering categories this list applies to (multi-select) |
| Enabled | Whether the list is active |
After adding, click Update Now to download immediately, or wait for the scheduled update (default: daily at 4 AM).
Blocklist formats
Section titled “Blocklist formats”| Format | Description | Example line |
|---|---|---|
hosts | Standard hosts file — IP followed by domain | 0.0.0.0 ads.example.com |
domains | One domain per line, no IP | ads.example.com |
adblock | Adblock Plus filter syntax | ||ads.example.com^ |
Lines starting with # or ! are treated as comments in all formats.
Update schedule
Section titled “Update schedule”Blocklists are re-downloaded and the filter index is rebuilt on a cron schedule. The default is 0 4 * * * (daily at 4 AM). Change this under Settings > Blocklist Update Schedule.
Categories
Section titled “Categories”VeloGuardian DNS includes 90+ filtering categories based on the FortiGuard FTGD taxonomy, organized into groups:
| Group | Example categories |
|---|---|
| Security | Malware, Phishing, Botnet, Spam URLs |
| Adult | Pornography, Explicit Violence, Nudity |
| Bandwidth | Streaming Media, Peer-to-Peer, File Sharing |
| Productivity | Social Media, Gaming, Web Chat |
| General Interest | News, Sports, Entertainment, Shopping |
| Business | Finance, IT, Cloud Applications |
Browse all categories under Filtering > Categories. Each category shows how many domains are indexed under it.
Categories are read-only — they come from the built-in FTGD taxonomy. You assign blocklists to categories when adding or editing a blocklist, and block categories per profile.
Profiles
Section titled “Profiles”Profiles define what gets blocked for which clients. Each profile has a set of blocked categories, optional custom rules, and optional time-based schedules.
Manage profiles under Filtering > Profiles.
Default profile
Section titled “Default profile”The default profile applies to any client that isn’t explicitly mapped to another profile. It’s created automatically on first boot and cannot be deleted.
Creating a profile
Section titled “Creating a profile”Click Add Profile and configure:
| Field | Description |
|---|---|
| Name | Unique name (e.g., “Kids”, “Office”, “Guest”) |
| Is Default | Make this the default for unmapped clients (only one can be default) |
| Filtering Enabled | Master toggle — if off, no filtering for this profile |
| Blocked Categories | Select which categories to block (multi-select grouped grid) |
Assigning clients to profiles
Section titled “Assigning clients to profiles”Under Filtering > Clients, map devices to profiles:
| Match type | Description | Example |
|---|---|---|
| IP | Single IP address | 192.168.1.100 |
| Subnet | CIDR block | 192.168.1.0/24 |
| MAC | MAC address | AA:BB:CC:DD:EE:FF |
| Hostname | Device name | johns-laptop |
| IP range | IP address range | 192.168.1.100-192.168.1.200 |
Resolution order: exact IP match first, then CIDR subnets (first match wins), then the default profile.
Allow/deny rules
Section titled “Allow/deny rules”Each profile can have per-domain rules that override blocklist decisions:
- Allow — the domain is always permitted, even if it matches a blocklist
- Deny — the domain is always blocked, even if it doesn’t match any blocklist
Manage rules by expanding a profile on the Profiles page and using the Custom Rules section.
Time-based schedules
Section titled “Time-based schedules”Override a profile’s blocked categories during specific time windows. For example, block social media during work hours but allow it in the evening.
Each schedule entry has:
| Field | Description |
|---|---|
| Name | Optional label (e.g., “Work hours”) |
| Days | Days of the week this schedule applies |
| Start time | Start time in 24h format (HH:MM) |
| End time | End time in 24h format (HH:MM) |
| Blocked categories | Categories to block during this window (can differ from the base profile) |
| Active | Toggle the schedule on/off |
Overnight schedules are supported — if the start time is after the end time (e.g., 22:00–06:00), the schedule spans midnight.
When multiple schedules apply to the same time window, the first match wins.
Manage schedules by expanding a profile on the Profiles page and using the Schedules section.
Filtering examples
Section titled “Filtering examples”Block ads and malware for everyone
Section titled “Block ads and malware for everyone”- Edit the default profile
- Check the Advertising, Malware, Phishing, and Spam URLs categories
- Save — all devices on your network are now protected
Restrict kids’ devices
Section titled “Restrict kids’ devices”- Create a profile called “Kids”
- Block adult content, gaming, social media, and streaming categories
- Under Clients, add each child’s device IP mapped to the “Kids” profile
- Add a schedule: allow streaming on weekends (Sat/Sun 09:00–21:00) by removing the streaming category from the schedule’s blocked list
Allow a specific domain that’s incorrectly blocked
Section titled “Allow a specific domain that’s incorrectly blocked”- Find which profile the affected device uses
- Expand that profile on the Profiles page
- Under Custom Rules, add the domain with action Allow
- The domain is immediately unblocked for all clients using that profile