The admins would like to know a lot more about what is going on with the auto unblocking by the reflex, and also what upstream resolvers are blocking. How can we gain these insights?
If a certain category is being hit by the reflex policies, we have no clue after the fact which it is. If we are receiving false positives we would like to know what category is matched. We have no way of knowing this right now so we cannot adjust any reflex policy to be more or less permissive. I just stumbled across the section in the dashboard where we can revisit the “closed” decisions that reflex made. There are a ton of legitimate domains that are just marked as “dangerous”. Well I have no clue what dangerous means. Now it’s all right to have a few false positives but I would at least like to know why they were marked as dangerous.
Also, if upstream resolvers are blocking legitimate sites we would like to have historical data as to what keeps getting blocked, so we can adjust the upstream policy with DNS harmony. Currently the whole system seems to be “set, and hope it works”, because there is no way to tune anything. We are completely blind as to what is being automatically blocked or allowed. Sure we get the emails, but there is no reasoning at all behind them and there’s no way to get the reasoning. Please help us out. If this takes more hardware, then so be it. And I certainly do not want to have to visit the sales team about enterprise plans for something that anyone, all the way from huge companies down to mom and pops using Adam networks, would like to know. We all want to tune the system to give everybody the correct balance of security versus convenience. We have no problem turning the slider all the way to the left or to the right, thats easy with Adam, but it’s the small variations right in the middle that seem to be a hang up right now. We need more info to work on.
TL:DR: I would like to see top blocked domains by upstream resolver, and I would also like to know specifically what category any Reflex blocked domain matches.
I just want to help clarify some things here. It sounds like you’re mostly talking about unblock requests and auto whitelisting, but you also are talking about reflex and upstream resolvers. These are 3 different things that are not directly connected to each other.
Specifically with unblock requests, there is no relation to reflex. Your reflex policies have no impact or relation to when an unblock request is closed, allowed, etc.
For Reflex and DNSharmony, the specific category, or resolver that blocked a domain is clearly shown in the MyTools Domain Log.
If I was to try to boil down what you’re asking for, it would be to essentially have the MyTools Domain Log, but just be able to go further back in time.
Ok, i thought i was talking about two things, but i guess its actually three. Whether or not they’re related to each other isn’t important, i just want more insights into “things that happen automatically”.
Upstream resolvers: I’m not sure if the upstream resolvers send back to the client what the decision is based off of or what category it is. Maybe this isnt an option for free resolvers. There is very minimal insight there so I don’t know what resolvers to put into my DNS harmony to make it act the way I want it to act.
Auto unblock requests: I do not know what the decision engine is for these but there is certainly minimal info as to what it allows and what it does not allow, as I mentioned above. Websites are simply marked as dangerous and that’s the decision. It seems like even if I knew what the criteria were for why a site is allowed or not, there’s no way for us to tune anything on the dashboard because that’s simply not an option yet.
Reflex: Again, these Reflex categories were chosen once by me, and I just take it on hope that they work. I know I can see the reason live on the domain logs, if I am there right in front of the logs when any particular user visits a website. But I would actually like to see for my entire site what Reflex category is hit most often. That way I can say “hey, this {important work website} is matching {important allowed work category}, but it is also matching {not allowed category}, so maybe I need to move {not allowed category} to the allowed pool.” I am pretty sure that the logs don’t show all the categories that a domain matches. In fact heres an example from my site: {Forwarded: Reflex forwarded to default resolver | Business Economy}. This shows only one category, but it could be matching more categories, am i right?