What is a Denylist?

The networking and security industry has been shifting away from "blacklist/whitelist" terminology toward more descriptive, inclusive alternatives:

• Blacklist → Blocklist / Denylist: A list of items that are denied or blocked
• Whitelist → Allowlist: A list of items that are explicitly permitted

Major organizations including NIST, Google, Apple, and Microsoft have adopted this updated terminology. The terms "blocklist" and "denylist" are more descriptive — they immediately convey what the list does without relying on color metaphors.

In CleanBrowsing's interface, you'll see both "blocklist" and "denylist" used interchangeably. Both mean the same thing: domains your filter won't resolve.

Denylists in DNS filtering work the same way regardless of what you call them. CleanBrowsing maintains denylists across 21+ content categories, plus security-focused denylists for malware, phishing, and botnet domains.

For a deeper look at how blocklists are built, maintained, and managed, see our blocklist guide. For organizations needing to integrate denylists into their own DNS infrastructure, CleanBrowsing offers an RPZ feed.

On the authoritative DNS side, NOC.org manages the DNS records that map domains to servers — while CleanBrowsing's recursive resolver enforces denylists to control which domains users can access.