Blocklists & Filtering
VeloGuardian DNS uses a layered filtering system: blocklists provide domain lists, categories organize them, profiles define what to block for each client, and rules override everything.
How filtering works
Section titled “How filtering works”When a DNS query arrives:
- Local DNS records are checked first (always takes priority)
- Allow rules in the client’s profile are checked — if the domain is allowed, it passes through
- The domain is looked up in the filter index (built from all enabled blocklists)
- If found, the domain’s categories are compared against the client’s profile’s blocked categories
- Deny rules force a block regardless of category matching
- If not blocked, the query goes to the upstream DNS server
Blocklists
Section titled “Blocklists”Blocklists are external domain lists that the appliance downloads and indexes. Manage them from Filtering > Blocklists in the sidebar.
Built-in blocklists
Section titled “Built-in blocklists”| Blocklist | Focus | Format |
|---|---|---|
| Steven Black Unified | Ads, trackers, malware, fakenews | hosts |
| OISD Small | Ads, tracking, telemetry | domains |
| Phishing Army Extended | Phishing domains | domains |
| URLhaus Malware Filter | Active malware distribution | domains |
Adding a blocklist
Section titled “Adding a blocklist”Click Add Blocklist and fill in:
| Field | Description |
|---|---|
| Name | Display name for the blocklist |
| URL | Direct download URL for the list file |
| Format | hosts (IP + domain pairs), domains (one per line), or adblock (Adblock Plus syntax) |
| Categories | Which filtering categories this list applies to (multi-select) |
| Enabled | Whether the list is active |
After adding, click Update Now to download immediately, or wait for the scheduled update (default: daily at 4 AM).
Blocklist formats
Section titled “Blocklist formats”| Format | Description | Example line |
|---|---|---|
hosts | Standard hosts file — IP followed by domain | 0.0.0.0 ads.example.com |
domains | One domain per line, no IP | ads.example.com |
adblock | Adblock Plus filter syntax | ||ads.example.com^ |
Lines starting with # or ! are treated as comments in all formats.
Update schedule
Section titled “Update schedule”Blocklists are re-downloaded and the filter index is rebuilt on a cron schedule. The default is 0 4 * * * (daily at 4 AM). Change this under Settings > Blocklist Update Schedule.
Categories
Section titled “Categories”VeloGuardian DNS uses the VeloGuardian Argos classification standard: 75 categories organized into 13 groups. The same taxonomy is shared across every VeloGuardian product, so categorizations stay consistent if you ever mix the DNS appliance with VeloGuardian VPN or other VeloGuardian network tools.
| Group | Example categories |
|---|---|
| Security Threats | Malware, Phishing, Botnet, Cryptojacking, Spam |
| Privacy & Anonymity | VPN, Proxy, Tor, Web Anonymizer |
| Illegal & Harmful | Hacking Tools, Terrorism, Extremism, Weapons |
| Adult Content | Pornography, Nudity, Dating |
| Lifestyle & Vices | Gambling, Alcohol, Tobacco, Cannabis |
| Media & Entertainment | Streaming Video, Gaming, Social Media, News |
| Communication & Collaboration | Email, Messaging, Video Conferencing, Forums |
| Business & Finance | Banking, Trading, Cryptocurrency, Government |
| Education & Reference | Schools, Health, Research |
| Technology & Infrastructure | Search Engines, Advertising, Analytics, Cloud Services |
| File Sharing | Cloud Storage, File Transfer, Peer-to-Peer |
| Shopping & Services | E-commerce, Travel, Food Delivery |
| Uncategorized | Entries not yet classified |
Browse all categories under Filtering > Categories. Each category shows how many domains are indexed under it. Groups and categories are rendered in the order the API returns them — server-side display_order — so the layout matches what you see in this guide.
Categories are read-only — they come from the built-in taxonomy. You assign blocklists to categories when adding or editing a blocklist, and block categories per profile.
Profiles
Section titled “Profiles”Profiles define what gets blocked for which clients. Each profile has a set of blocked categories, optional custom rules, and optional time-based schedules.
Manage profiles under Filtering > Profiles.
Default profile
Section titled “Default profile”The default profile applies to any client that isn’t explicitly mapped to another profile. It’s created automatically on first boot and cannot be deleted.
Creating a profile
Section titled “Creating a profile”Click Add Profile and configure:
| Field | Description |
|---|---|
| Name | Unique name (e.g., “Kids”, “Office”, “Guest”) |
| Is Default | Make this the default for unmapped clients (only one can be default) |
| Filtering Enabled | Master toggle — if off, no filtering for this profile |
| Blocked Categories | Select which categories to block (multi-select grouped grid) |
Assigning clients to profiles
Section titled “Assigning clients to profiles”Under Filtering > Clients, map devices to profiles:
| Match type | Description | Example |
|---|---|---|
| IP | Single IP address | 192.168.1.100 |
| Subnet | CIDR block | 192.168.1.0/24 |
| MAC | MAC address | AA:BB:CC:DD:EE:FF |
| Hostname | Device name | johns-laptop |
| IP range | IP address range | 192.168.1.100-192.168.1.200 |
Resolution order: exact IP match first, then CIDR subnets (first match wins), then the default profile.
Allow/deny rules
Section titled “Allow/deny rules”Each profile can have per-domain rules that override blocklist decisions:
- Allow — the domain is always permitted, even if it matches a blocklist
- Deny — the domain is always blocked, even if it doesn’t match any blocklist
Manage rules by expanding a profile on the Profiles page and using the Custom Rules section.
Time-based schedules
Section titled “Time-based schedules”Override a profile’s blocked categories during specific time windows. For example, block social media during work hours but allow it in the evening.
Each schedule entry has:
| Field | Description |
|---|---|
| Name | Optional label (e.g., “Work hours”) |
| Days | Days of the week this schedule applies |
| Start time | Start time in 24h format (HH:MM) |
| End time | End time in 24h format (HH:MM) |
| Blocked categories | Categories to block during this window (can differ from the base profile) |
| Active | Toggle the schedule on/off |
Overnight schedules are supported — if the start time is after the end time (e.g., 22:00–06:00), the schedule spans midnight.
When multiple schedules apply to the same time window, the first match wins.
Manage schedules by expanding a profile on the Profiles page and using the Schedules section.
Filtering examples
Section titled “Filtering examples”Block ads and malware for everyone
Section titled “Block ads and malware for everyone”- Edit the default profile
- Check the Advertising, Malware, Phishing, and Spam URLs categories
- Save — all devices on your network are now protected
Restrict kids’ devices
Section titled “Restrict kids’ devices”- Create a profile called “Kids”
- Block adult content, gaming, social media, and streaming categories
- Under Clients, add each child’s device IP mapped to the “Kids” profile
- Add a schedule: allow streaming on weekends (Sat/Sun 09:00–21:00) by removing the streaming category from the schedule’s blocked list
Allow a specific domain that’s incorrectly blocked
Section titled “Allow a specific domain that’s incorrectly blocked”- Find which profile the affected device uses
- Expand that profile on the Profiles page
- Under Custom Rules, add the domain with action Allow
- The domain is immediately unblocked for all clients using that profile