Understand Why Umbrella Does Not Block TXT Records

Introduction

This document describes why Umbrella does not block text (TXT) record query types for content filtering.

Overview

Umbrella does not block TXT (text) record query types for content filtering (for example, category blocking) but does for security filtering. There are a few reasons for this, and also a couple of caveats to be aware of. This article provides information on these caveats.

What is a TXT record?

A TXT record carries extra data, sometimes human-readable, most of the time machine-readable. The information in the response is usually used for automated tasks such as opportunistic encryption, DomainKeys, DNS-SD, SPF, and so on.

For more information on other common types of DNS records, click here.

Why are TXT records not blocked?

Other fairly important systems use TXT records, such as SPF (Sender Policy Framework).
SPF one had its own resource record type (99), that is now deprecated. Instead, SPF uses TXT records.

If Umbrella is performing filtering for an e-mail server, these SPF TXT records must be available, because they are used to determine the validity of the sending e-mail server. Blocking SPF TXT records can have a negative impact on receiving incoming e-mails from valid senders, as well as filtering out 'spoofed' e-mails and phishing campaigns.

Note: Currently, it is not recommended to use Umbrella filtering for an e-mail server. For more information please see this article.

For content filtering, blocking TXT records is unnecessary to preventing users from accessing content like websites. Therefore, we do not block TXT records. This ensures that web content filtering works while other systems (like SPF) still function.

What are the caveats?

There are instances when it is recommended to block all record types.  When a domain is categorized as hosting malware, Umbrella blocks TXT records too.