Just wondering if anyone who has deployed IOC feeds (sk132193 ) has ever thought that end user gets two totally different experiences depending on how the feed is set up. I'm referring to feed based on domain names / URLs btw.

Basically if you block the whole domain (i.e. www.draugiem.lv in log screenshot below) you will get a blank screen reporting that name lookup failed as FW will block it (or return DNS Trap IP if configured). So if I'm just a regular person, seeing blank screen with obscure Name_err message is not very helpful.

Example screenshot:

Whereas second case where we block a specific path in the domain (www.netflix.com/browse), end user will get a proper "Access Blocked" webpage generated by FW AntiBot/AntiVirus blade. Very informative and helpful.

You can actually see which type of protection actually kicked in (URL vs DNS)

I realise that DNS block is way more effective from security point of view as no data is actually is transmitted plus less resource hungry. But I still find that "educating" end user is a big and important piece. And those well defined "Access blocked" webpages are really helpful.

Question is - is it possible to customise IOC feed behaviour on AB/AV balde so that we allow DNS request through and display proper block page in the browser?