A DNS block during client work is both a security signal and a continuity problem. Resist the two fastest reactions: telling the client its site is unsafe, or turning filtering off. A classification can be wrong, a legitimate service can use a newly observed hostname, or the device can be following a different DNS path. The job is to preserve work while establishing which explanation is true. Agree on an internal response target before the first incident, so delivery pressure does not quietly become permission to bypass every control.
Treat the block as a continuity incident
Start a short incident note while the failure is fresh. Capture the time, device, user-visible error, requested hostname, task being attempted, and whether colleagues see the same result. Ask for a screenshot of the error rather than repeated attempts. Do not ask someone to visit the site from an unprotected personal device; that proves little and may transfer risk.
| Question | Evidence | Next move |
|---|---|---|
| Did protective DNS act? | Resolver activity shows a block or redirect | Identify the matching rule |
| Is the hostname expected? | Client confirms it through a known channel | Check scope and dependencies |
| Is work urgent? | A named deliverable and deadline exist | Create a time-boxed narrow exception |
| Was classification wrong? | Vendor review or independent evidence supports it | Request reclassification and retain expiry |
Use a known phone number, existing project channel, or previously verified client contact to confirm the hostname and purpose. An email arriving with the blocked link is not independent verification. For a login page, also check the organization name, expected sign-in journey, certificate in a safe inspection tool, and authoritative documentation. A client can itself be compromised, so confirmation reduces uncertainty rather than declaring a domain harmless.
Diagnose before you allow
- Confirm the endpoint is using the intended protected resolver. Browser Secure DNS, a VPN, a private relay, or a manual setting can change the path.
- Reproduce once from the affected endpoint and note the exact time. Clear the local DNS cache only after preserving useful evidence.
- Find the matching action and rule. Distinguish a threat-intelligence block from a content category, custom domain rule, or redirect.
- Check whether the hostname is the client service itself or a required dependency such as identity, storage, payments, or a content delivery network.
- Compare another protected endpoint in the same work profile. A single-device failure can be local configuration rather than policy.
- Use the DNS provider or threat-intelligence owner's reclassification channel when the evidence supports a mistake.
Cloudflare documents both specific allow policies and categorization-change requests for misclassified domains.3 Cisco Umbrella similarly organizes DNS policy around identities and destination lists, while Control D documents custom rules taking precedence over broader filters.45 The interfaces differ, but the durable outline is the same: identify the decision, override precisely, and preserve policy order.
Use a reversible decision ladder
Match the response to the evidence rather than the volume of the request. If the endpoint is on the wrong resolver path, correct that path and retest. If a content category is disputed, review the category without touching threat protection. If one verified hostname is required, allow that hostname for the smallest relevant scope. If the destination still looks risky, preserve the block and move the client task to an approved channel. Each step should be easy to reverse and should leave the broader security posture intact.
| Finding | Continuity action | Security boundary |
|---|---|---|
| Wrong DNS path | Restore the intended resolver | Do not change policy |
| Category disagreement | Review or reclassify the hostname | Keep threat rules active |
| Verified work dependency | Allow the exact hostname temporarily | Limit scope and duration |
| Unresolved risk | Use an alternate approved workflow | Keep the destination blocked |
Build an exception with an expiry
Choose the smallest useful scope. Prefer one hostname over a parent domain, one client-work profile over the whole company, and one endpoint for initial proof. Record who approved it, why it exists, the client task it enables, and when it will be reviewed. If the platform cannot expire rules automatically, put the review in the same calendar or ticket system that owns the client deadline.
An exception is a temporary business decision with evidence, not a permanent reward for the first person who reports a block.
Do not bypass an enforced malware or phishing policy merely because the task is urgent. If independent checks cannot establish reasonable confidence, move the exchange to an already approved client channel or ask the client for an alternate endpoint. Continuity includes avoiding a preventable compromise. Protective DNS complements endpoint protection, multifactor authentication, updates, backups, and staff verification; it does not replace them.2
Prove the client work, not just the domain
After the exception, repeat the real workflow from the pilot endpoint: sign in, open the project, upload or download a harmless test file, complete the relevant integration, and sign out. A successful DNS lookup alone does not show that all required hostnames work. Equally, a broken page does not prove another domain should be allowed; inspect the next blocked dependency and repeat the verification.
Close the incident with two separate conclusions: whether client work recovered, and whether the original classification was correct. Recovery may come from an alternate workflow while the block remains valid. Conversely, a mistaken category may be corrected even after the deadline passes. Keeping those conclusions separate prevents an urgent business outcome from becoming weak security evidence and gives the next reviewer a clear reason to retain, narrow, or remove the exception.
- Remove or narrow the exception when the client work ends or the provider corrects classification.
- Review aggregate blocked and allowed counts first; open detailed activity only for the named troubleshooting window.
- Keep a reusable note for client contacts: what evidence to provide, who approves, and expected response time.
- Run a quarterly search for ownerless exceptions and rules whose reason no longer matches active work.
DNS filtering sees domain lookups and policy outcomes. It cannot read page contents, search terms, in-app chats, voice audio, or full browser history. That limit matters during diagnosis: a resolver event can show which domain was blocked, but not whether the client document, message, or person requesting access is trustworthy.
False-positive questions
Should we allow the whole client domain immediately?
Usually not. First identify the hostname and rule involved, verify ownership through a trusted contact, and test the smallest exception. A broad domain exception can expose unrelated services and remain long after the urgent task ends.
Does a false positive mean protective DNS is unreliable?
No. Classification systems trade coverage against error, and legitimate infrastructure changes. The operational test is whether the team can identify, narrow, document, and review an exception without disabling its security baseline.
What evidence belongs in an exception request?
Include the endpoint, time, hostname, policy action, client workflow affected, independent ownership check, required duration, and a named reviewer. Do not paste credentials, client records, or unnecessary browsing details.
Make the Veilty exception narrow
In Veilty, scope client-work endpoints to the appropriate Tenant resources and inspect the shortest relevant retained-history window. Saved Tenant activity is available only where a member's Tenant role permits it and is end-to-end encrypted; the resolver still processes live requests to answer them. Reusable baseline and enforced Tenant policies set the boundary: a resource may override the Tenant's baseline policy, but never its enforced policy. Test one endpoint, record the owner and review date, then verify the client workflow before expanding.1