DNS Redirector
 Return to FAQ List


FAQ 159: Useful AllowedKeywordsFile or AlwaysKeywordsFile additions

Category: Troubleshooting | Updated: 12/05/2016 2:20 PM


Since popular services and websites may use many domains or rely on 3rd party CDN domains, incorporating an allowed list can avoid disruption to services your company relies on.
Remember that your internal domain suffix should also be included in your allowed file.

 [ See a sample allowed file here: example-allowed.txt ]
...the contents can be pasted into your allowed.txt or always.txt file.

Depending on your network setup/policy you may find the following AllowedKeywordsFile= additions useful...

All keyword lists need to have at least one non-regex keyword present; at least 1 line not starting with ^
You can make this keyword up and/or make it specific to your network's domain, for example: allowed.inside.example.com

^.*XETGS\.XBOXLIVE\.COM$
^.*epix\.xbox\.com$
...when implemented for a free/open hotspot at a hotel, add these to your AllowedKeywordsFile=
By allowing these domains, Xbox 360's are not restricted by your blocked list.
Alternatively, to authorize a game console as soon as it connects, see FAQ 121.

Depending on your network setup/policy you may find the following AllowedKeywordsFile= or AlwaysKeywordsFile= additions useful...
Example: Clients connecting to your "block everything" or "no-Internet" network, but some sites still need to be reached.

For Windows Vista, 7, 8 and Windows Phone to determine Internet connection availability...
^dns\.msftncsi\.com$
(the user's machine finds Internet is available and a pop-up balloon from the system tray will read "Additional log on information may be required. Click to open your browser")
- or -
^.*\.msftncsi\.com$
(lookups for both dns.msftncsi.com and www.msftncsi.com will work, and so the user's machine finds Internet is available without any additional steps)

For Windows 10 to determine Internet connection availability...
^(.*\.)?msftconnecttest\.com$

For Android, Google Chrome, and Chromium OS devices to believe they are not behind a captive portal...
^clients3\.google\.com$                   ...also for Android 4.4.x (Kitkat)
^connectivitycheck\.android\.com$   ...for Android 5.0/5.1.x
^connectivitycheck\.gstatic\.com$    ...for Android 6.0.x (Marshmallow)

For Apple iOS devices to believe they are not behind a captive portal...
^(.*\.)?apple.com
^captive\.apple\.com$
^(.*\.)?appleiphonecell\.com$
^(.*\.)?itools\.info$
^(.*\.)?ibook\.info$
^(.*\.)?airport\.us$
^(.*\.)?thinkdifferent\.us$

For Firefox OS devices to believe they are not behind a captive portal...
^detectportal\.firefox\.com$

For browsers that may encounter trouble with HTTPS sites if/previously behind a captive portal...
^(.*\.)?symcd\.com$
^((.*-)?crl|crl-ssl)\d?\.\w*\.(com|net|\w{2}\.\w{2})$
^(ms)?crl\.microsoft\.com$
^www\.startssl\.com$
^pki\.(google|nai)\.com$
^repo\d\.secomtrust\.net$
^.*ocsp2?\.\w*\.(com|net)$
^(.*\.)?public-trust\.com$
^(.*\.)?secomtrust\.net$
^(.*\.)?amazontrust\.com$
^certificates\.godaddy\.com$
^crl\.ca\.vodafone\.com$
^crl\.buypass\.no$

For Eye-Fi wireless SD cards to connect and upload photos...
^(.*\.)?eye\.fi$

For reverse DNS lookups, this is a special case for some VPN and Apple software to determine network location...
^.*\.in-addr\.arpa$
^.*\.ip6\.arpa$

All keyword lists need to have at least one non-regex keyword present; at least 1 line not starting with ^
You can make this keyword up and/or make it specific to your network's domain, for example: allowed.inside.example.com

Please contact support if you require a device to believe it is on the Internet, even when Internet is not available. In some cases domains can either be forced to resolve to a separate site in IIS, or the welcome site can be modified to look for domains in the URL and then redirect to the "Success" message. Care needs to be taken to avoid breaking other device connectivity (for example text, SMS, voicemail notifications).



Related articles
FAQ 5  Block everything and allow just a few sites
FAQ 121  Useful AuthKeywordsFile additions

 
DNS Redirector | Legal Information | 2003-2017