Technitium DNS PSA: Don't whitelist the root domain unless you really mean it
I learned something today while tuning my Technitium DNS Server with HaGeZi Ultimate, HaGeZi TIF, OISD Big, OISD NSFW, and the DoH/VPN bypass list.
At first, I was whitelisting root domains like:
facebook.com
tailscale.com
anydesk.com
fbcdn.net
I assumed this would only allow those specific domains.
After testing with dig and Technitium's EDE (Extended DNS Error) responses, I discovered that's not how the allow list behaves.
Example:
If you whitelist:
tailscale.com
then these are effectively allowed as well:
login.tailscale.com
log.tailscale.com
pkgs.tailscale.com
controlplane.tailscale.com
wwwv2.tailscale.com
Likewise:
facebook.com
also allows:
graph.facebook.com
pixel.facebook.com
m.facebook.com
lookaside.facebook.com
...
The proof came when I removed the parent domain from my whitelist and instead allowed only the hostnames my applications actually required.
Immediately afterwards:
$ dig pixel.facebook.com
;; status: NXDOMAIN
EDE: 15 (Blocked)
source=OISD Big
source=HaGeZi Ultimate
So my tracking protection started working again without breaking Facebook, WhatsApp, Instagram, or Tailscale functionality.
My recommendation is:
- ❌ Don't whitelist
facebook.com,tailscale.com,anydesk.com, or other parent domains unless you intentionally want every subdomain to bypass your blocklists. - ✅ Whitelist only the specific FQDNs your applications actually need, such as:
This keeps your services working while allowing your blocklists to continue blocking advertising, telemetry, and tracking endpoints.
Has anyone else observed the same behavior in Technitium's allow list? I'd be interested to know if this is documented somewhere, because it was one of the most useful things I've learned while fine-tuning my DNS setup.