How to Allowlist Domains in CleanBrowsing

Step 1: When to Use the Allowlist

The allowlist (also called a whitelist) overrides CleanBrowsing's category-based filtering for specific domains. When a domain is on your allowlist, it will always resolve normally — regardless of which content categories you have blocked.

Common reasons to allowlist a domain:

• Business applications: Microsoft 365, Google Workspace, Salesforce, Slack, Zoom, or other SaaS tools that use domains which may be miscategorized or uncategorized.
• Educational resources: Learning platforms, video hosts, or research sites that are incorrectly blocked by content filters.
• Miscategorized domains: A domain that is incorrectly classified in our database. Allowlisting fixes it immediately for your network; reporting it to us fixes it for everyone.
• CDN or infrastructure domains: Content delivery networks and authentication services that legitimate applications depend on.

Identify the Domain First

Before adding anything to the allowlist, confirm which domain is actually blocked. The blocked domain is often not the site you are visiting — it may be a CDN, authentication, or API domain loaded in the background. Use the Diagnose DNS Issues guide or check your dashboard's blocked requests log.

# Quick check: is the domain blocked by CleanBrowsing?
# Windows
nslookup suspected-domain.com 185.228.168.168

# PowerShell
Resolve-DnsName -Name suspected-domain.com -Server 185.228.168.168 -ErrorAction SilentlyContinue

# macOS / Linux
dig +short @185.228.168.168 suspected-domain.com

If the domain returns NXDOMAIN, a block page IP, or no response, it is being filtered. If it returns a normal IP address, the domain is not blocked and the issue is elsewhere.

Step 2: Add Domains via the Dashboard

The CleanBrowsing dashboard is the primary way to manage your allowlist. This requires a paid account.

1. Log into your CleanBrowsing dashboard.
2. Click on Filters in the left navigation.
3. Select Custom Allow List.
4. Enter the domain you want to allowlist (e.g., login.microsoftonline.com).
5. Click Add or Save.

Domain Format

• Exact domain: Enter teams.microsoft.com to allowlist only that specific domain.
• Subdomain coverage: Allowlisting microsoft.com will also allowlist subdomains like teams.microsoft.com and login.microsoftonline.com if they are under the same parent domain.
• Do not include protocols: Enter example.com, not https://example.com.
• Do not include paths: Enter example.com, not example.com/page. DNS filtering operates at the domain level, not the URL path level.

Adding Multiple Domains

If you need to allowlist several domains at once (common for services like Microsoft 365), add them one per line. For M365 specifically, see our Microsoft 365 troubleshooting guide for the recommended domain list.

Profile-Specific Allowlists

If you use multiple profiles (e.g., "Students" and "Staff"), note that allowlists are profile-specific. A domain allowlisted in the Staff profile will still be blocked for Students unless you add it to both profiles. This is by design — it allows you to grant access to certain resources for administrators or teachers without opening the same access for students.

Step 3: Wait for Propagation, Then Flush DNS Cache

Dashboard changes — including allowlist additions — take 30 to 45 minutes to propagate across CleanBrowsing's resolver network. On top of that, your device, browser, and operating system all cache DNS responses. If the old (blocked) response is cached locally, your device will continue using it until the cache expires.

After waiting at least 30 minutes, flush the DNS cache:

# Windows Command Prompt
ipconfig /flushdns

# PowerShell
Clear-DnsClientCache

# Verify the cache is cleared (should show "Successfully flushed")
ipconfig /flushdns

# macOS
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder

# Linux (systemd-resolved)
sudo systemd-resolve --flush-caches

# Linux (nscd)
sudo systemctl restart nscd

Also Clear Browser DNS Cache

Browsers maintain their own DNS cache separate from the OS. After flushing the system cache:

• Chrome: Navigate to chrome://net-internals/#dns and click Clear host cache.
• Firefox: Navigate to about:networking#dns and click Clear DNS Cache.
• Edge: Navigate to edge://net-internals/#dns and click Clear host cache.
• Or simply: Close and reopen the browser. A fresh browser session starts with an empty DNS cache.

For detailed instructions, see our Clear DNS Cache in Browser guide.

Step 4: Verify the Allowlist from the Command Line

After adding the domain and flushing your cache, verify that the domain now resolves correctly through CleanBrowsing.

# Windows Command Prompt
nslookup the-allowlisted-domain.com 185.228.168.168

# PowerShell
Resolve-DnsName -Name the-allowlisted-domain.com -Server 185.228.168.168

# macOS / Linux
dig +short @185.228.168.168 the-allowlisted-domain.com

The domain should now return a valid IP address instead of NXDOMAIN or a block page IP.

Before/After Comparison Script

Use this script to verify a batch of domains after allowlisting:

# PowerShell — verify multiple allowlisted domains
$domains = @(
    "login.microsoftonline.com",
    "teams.microsoft.com",
    "outlook.office365.com"
)

foreach ($d in $domains) {
    $cb = Resolve-DnsName -Name $d -Server 185.228.168.168 -ErrorAction SilentlyContinue
    $ref = Resolve-DnsName -Name $d -Server 8.8.8.8 -ErrorAction SilentlyContinue

    $cbIP = if ($cb.IPAddress) { $cb.IPAddress[0] } else { "BLOCKED" }
    $refIP = if ($ref.IPAddress) { $ref.IPAddress[0] } else { "FAILED" }

    $status = if ($cbIP -ne "BLOCKED") { "[OK]" } else { "[BLOCKED]" }
    Write-Host "$status $d"
    Write-Host "    CleanBrowsing: $cbIP"
    Write-Host "    Reference:     $refIP"
    Write-Host ""
}

# macOS / Linux
for domain in login.microsoftonline.com teams.microsoft.com outlook.office365.com; do
    cb=$(dig +short @185.228.168.168 $domain)
    ref=$(dig +short @8.8.8.8 $domain)
    if [ -n "$cb" ]; then
        echo "[OK]      $domain"
    else
        echo "[BLOCKED] $domain"
    fi
    echo "    CleanBrowsing: ${cb:-BLOCKED}"
    echo "    Reference:     ${ref:-FAILED}"
    echo ""
done

Step 5: Allowlist Not Working?

If you have added a domain to the allowlist but it is still being blocked, work through these common causes:

1. Not Enough Time Has Passed

This is the most common cause. Dashboard changes take 30-45 minutes to propagate. If you just made the change, wait at least 30 minutes before testing. After waiting, flush both the OS and browser DNS caches (see Step 3), then test again.

# PowerShell — check if the domain is still in cache
Get-DnsClientCache | Where-Object { $_.Entry -like "*the-domain*" }

# If it appears, flush it
Clear-DnsClientCache

2. Wrong Profile

If you use multiple CleanBrowsing profiles, the allowlist is profile-specific. Verify that you added the domain to the correct profile — the one that the affected device is using.

Check which profile is active for your IP by querying the debug record:

# Windows
nslookup -type=TXT debug.test.cleanbrowsing.org 185.228.168.168

# PowerShell
Resolve-DnsName -Name debug.test.cleanbrowsing.org -Type TXT -Server 185.228.168.168

# macOS / Linux
dig TXT debug.test.cleanbrowsing.org @185.228.168.168

The response includes your active profile name. Make sure the allowlist entry is in this profile.

3. Subdomain Not Covered

If you allowlisted microsoft.com but the blocked domain is aadcdn.msftauth.net, the allowlist does not cover it — they are different root domains. You need to allowlist each distinct root domain separately.

4. Device Not Using CleanBrowsing

The device may have been reconfigured, or another service is overriding DNS. Verify that the device is actually sending queries to CleanBrowsing:

# Windows
ipconfig /all | findstr "DNS Servers"

# PowerShell
Get-DnsClientServerAddress -AddressFamily IPv4

# macOS
scutil --dns | grep nameserver

# Linux
cat /etc/resolv.conf

If CleanBrowsing IPs are not listed, the device is using a different DNS resolver and the allowlist has no effect.

5. Browser DNS-over-HTTPS Is Active

If the browser has DNS-over-HTTPS (DoH) enabled, it bypasses your system DNS entirely and resolves domains through the browser's own DoH provider. Your CleanBrowsing allowlist has no effect on DoH queries.

Check and disable DoH: see our guide on how to disable DNS-over-HTTPS.

Step 6: Common Allowlist Scenarios

Microsoft 365 (Teams, SharePoint, Outlook)

Microsoft 365 requires many domains to function. Rather than trying to identify each one individually, start with our recommended list in the Microsoft 365 troubleshooting guide.

Google Workspace

Key domains to allowlist for Google Workspace:

accounts.google.com
mail.google.com
drive.google.com
meet.google.com
classroom.google.com
docs.google.com
sheets.google.com
slides.google.com

Zoom

zoom.us
*.zoom.us
*.zoomgov.com

Slack

slack.com
*.slack.com
slack-edge.com
*.slack-edge.com

Educational Platforms

If an educational resource is blocked, the issue is usually a CDN or video host domain, not the platform itself. Use browser DevTools to identify the specific failing domain, then allowlist it.

Reporting Miscategorized Domains

If a domain is incorrectly categorized in our database, please report it to support@cleanbrowsing.org with the domain name and what the correct category should be. We will update the categorization, which fixes the issue for all CleanBrowsing users — not just your network. You can also submit categorization corrections at categorify.org.