Geo Custom Rules

You can create custom rules that leverage geo-location data of source and destination IPs.


Beta Feature

This feature is in beta, and lacks a "pretty UI", however you can use it right now.

What are Geo Custom Rules

Geo Custom Rules work exactly as standard (domain based) custom rules, except they leverage the geo-location data that's associated with the source IP that made a DNS query, as well as destination IPs that the query resolves to. Here are some examples of what you can do with these types of rules:

  • Block queries that resolve to IPs in a specific country
  • Redirect queries that don't resolve to IPs in a specific country
  • Bypass queries made from IPs in a specific country
  • Block queries made from IPs not in a specific country

Or any combination of the above.

Rule Format

Geo Custom Rules start with any of the 4 following formats, and are followed by a 2 letter ISO country code.

  • @ - destination country
  • # - source country
  • !@ - NOT destination country
  • !# - NOT source country


Simply create a standard Custom Rule, but instead of a domain name use any of the following formats:

  • @CN - This will match if a queried domain resolves to a Chinese IP address.
  • !@US - This will match if the queried domain does not resolve to a US IP address.
  • #CA - This will match if the DNS query originates from a Canadian IP address.
  • !#DE - This will match if the DNS query does not originate from a German IP address.

You can use any 2 letter ISO country code to make these rules. You can also make several of these rules in one go, by listing them one per line while adding custom rules (same as domain level rules).


NOT Rules Limitations

You should not mix different Rule Actions for the "not rules" (the ones that start with !), or unexpected behavior will occur. See below for some examples.

This OK

  • !#US -> BLOCK
  • !#CA -> BLOCK

The above will result in DNS queries originating from US and Canada working normally (subject to the rest of your Profile), while queries that originate from all other countries would get a BLOCK response.

This is NOT OK

  • !#US -> BLOCK
  • !#CA -> BYPASS

The above is NOT OK to do. Unexpected (random) behavior will occur. The exact same thing is true for !@ (destination) rules.

Rule Actions

Much like with standard Custom Rules one of 3 rule types can be attached to any geo custom rule. Be aware that domain level rules take priority, so if a query matches a domain level rule that will take precedence over any of your geo rules.


A BLOCK action will prevent any domain that matches a rule from loading, and will effectively make it inaccessible from a Device that enforces a Profile.


A BYPASS rule will resolve any domain to its true IP address from Authoritative DNS. This is useful to override Filters, Services, or the Default Rule.


A REDIRECT rule will spoof any domain via a proxy location or specific IP address chosen by you.