This article will explain some advanced filtering techniques. We’ll go over how to use wildcards, apply multiple policies, and how to filter certain sites on a domain.
Blocking/Allowing Websites with Domains and Subdomains
Sometimes you only want students to be able to access certain parts of a website/domain. Keep in mind that the allow list will always override the block list (including category blocks).
1) Let’s say you want students to be able to access docs.google.com (a subdomain), but not Google.com (a domain) or any other Google subdomains (such as sheets.google.com):
- Add “google.com" to your block list (this will also block all subdomains)
- Add “docs.google.com” to your allow list (this will override the block list for this subdomain only)
2) If you wanted to allow Google.com but didn’t want students to be able to get to drive.google.com:
- Add "drive.google.com" to the block list
*There is no need to add google.com to the allow list, as students should be able to access it already (unless a policy in Restrictive Mode is being applied).
Applying Multiple Policies
Multiple policies may be applied to an OU.
Please note: Any category blocked on any applied policy will be blocked for users within that OU. Any URL explicitly allowed on any of the directly applied policies will be allowed and take precedence over a category block. Inherited policies take a lower priority for filtering than directly applied policies. For example, if a directly applied policy blocks Social Media as a category, and an inherited policy allows Facebook.com, a user within the OU with the directly applied policy attempting to access Facebook.com would be blocked -- even though the site is allowed in the inherited policy.
When overlaying multiple policies, we recommend leaving your root policy with the least amount of category blocks and applying more restrictive policies further down the OU tree.
For example, if a "Default" policy blocks the Social Media category but the "Users" policy allows this category. Any website categorized as Social Media such as Facebook.com would be blocked when both these policies are applied.
If Facebook.com is explicitly allowed on the directly applied "Users" policy, Facebook.com would be allowed.
However, if Facebook.com is specifically allowed as a site in the "Default" policy, and the Social Media category is blocked within the "Users" policy, Facebook.com would be blocked.
Special rules applied when used with restrictive mode:
If the "Users" policy is in restrictive mode, inherited policy allow rules from the "Default" will be merged at the same precedence as directly allowed policies. In this scenario, if the restrictive "Users" policy blocks all sites except a pre-determined list which does not include Facebook.com, and the "Default" policy blocks the Social Media category but specifically allows Facebook.com, the site will be allowed. For more on policies and policy inheritance, see Policies and Policy Inheritance.
In GoGuardian, asterisks are used to denote wildcards. Wildcards are a very useful tool for filtering. Keywords or URLs placed in between the wildcards (or asterisks) can be blocked or allowed regardless of the remaining part of the URL. When a "wildcarded" term or domain is blocked/allowed, it will result in all URLs containing that wildcarded term, or all URL paths within that wildcarded domain, to be blocked/allowed.
Here are some examples of how you can use wildcards on your block/allow list:
- Keyword blocks: if you add *proxy to your block list, this will block any site that has the word “proxy” in the URL.
- Multi-word keywords: if you add *harry+potter to your blocked list, this will block any URL for these terms, with the "+" sign representing a single space character in the search field.
- Sub-domain blocks: if you add *.mlb.com to your blocked list, users would be able to access mlb.com, but would be blocked from sub-domains such as yankees.mlb.com or dodgers.mlb.com
- Multi-word keywords with more than two wildcards: if you add *unblocked*games to your blocked list, this will block any Google searches for these terms, with any amount of characters (spaces or other) in between the two terms (represented by the middle wildcard). It will also block any URLs containing these two terms, in that order, with any characters in between the two terms.
Pro Tip: Be careful blocking short keywords! Many URLs contain long strings of random letters and this could cause unexpected blocks. Example: blacklisting *room* will block access to classrooms.google.com.
Here is a list of wildcards that we recommend adding to the block list on your default policy:
Note: Blocking sites with wildcarded terms can cause some pages to be blocked unintentionally. If you find sites are being blocked unexpectedly, check your wildcard block rules. If they are too general, you may want to remove them, otherwise, you can override the block rule with an allow rule for the page or domain.
The words proxy and VPN may appear in URLs for some Google services, such as drive.google.com and docs.google.com. If you find these services are being blocked unexpectedly, check the URL for the term. This can be fixed by adding an Allow Rule for the URL that was blocked.
Blocking Google Images
To fully block Google Image searches, add the wildcard *tbm=isch to your block list. "tbm=isch" is specific to Google Image searches. Please note that Google.com cannot be on the allow list in order for this to work.
Blocking Google Searches
You can block specific Google Searches, without blocking URLs containing that specific term. In order to block specific Google Searches, add *search*term* to your policy, where "term" stands in for the search you would like blocked.
For example, adding *search*snake will block the search for the term "snake", but will still allow sites that contain "snake" in the URL. Blocking *gun+mayhem will block any URL with both those words in it (with a single space in between the two words).
To block the term regardless of where in the phrase they search, you can add *search*term
Allowing/Blocking Sites with a Path
Certain characters such as URLs with a question mark will not be able to be added to the blocked/allowed site list.
For example, if you would like to block, https://site.websites.com/view/game/home?authuser=1 please remove the characters following the question mark and add the wildcard. This will block all URLs within that subdomain and with the beginning path.
To learn more about GoGuardian DNS filtering and the differences in how the policies are applied, click here.