sfw/fix
Umbrella blocked high

Cisco Umbrella / OpenDNS "This site is blocked" (DNS-layer category block)

A network's Umbrella or OpenDNS resolver classified the domain and returned its block page instead of the site.

What you see

This site is blocked due to a security threat.
This site is blocked due to content filtering.
blocked.example.com — Cisco Umbrella
(powered by OpenDNS)

What’s actually happening

Visitors on one network — a company, school, or anyone using OpenDNS resolvers — hit a Cisco Umbrella or OpenDNS block page instead of your site, while other networks load it normally. Because the block happens at DNS resolution, it kills the whole domain before any HTTP request goes out; HTTPS doesn't help. The page states a category: malware, phishing, newly seen domain, or a content filter like gambling.

Common causes

  • Umbrella's threat intel flagged the domain as malware, phishing, or command-and-control — often after a compromise
  • "Newly Seen Domains" or "Newly Registered Domains" category blocking a freshly registered or recently moved domain
  • A content-category misclassification (your SaaS app tagged as proxy/anonymizer, your forum as adult, etc.)
  • A specific network's admin manually added the domain to a block list
  • Shared hosting where a neighbor domain on the same IP got the IP/domain cluster flagged

How to fix it

  1. Confirm it's Umbrella and find the categoryThe block page says Cisco Umbrella or OpenDNS and usually names the reason. Cross-check your domain's classification at Cisco Talos Intelligence (talosintelligence.com) and the Umbrella domain checker. That tells you whether it's a security flag or a content-filter category.
  2. Clean the site if it's a security flagMalware/phishing/C2 listings mean Umbrella saw something bad. Find and remove injected content, scan the server, rotate credentials, and patch the stack. A dispute filed on a still-dirty site gets rejected.
  3. Submit a categorization dispute to CiscoUse the Cisco Umbrella / Talos reputation dispute form to request reclassification, attaching evidence the domain is clean. Misclassification disputes (wrong content category) and false-positive security disputes go through the same intake.
  4. For internal blocks, ask the network admin to allowlistIf only one organization blocks you and the category is a content filter or manual entry, the fix is on their side: their Umbrella dashboard admin adds your domain to the Destination Allow List. Global reclassification won't override a local block.
  5. Address the 'newly seen domain' caseNew domains commonly trip this for a few days. There's nothing to clean — keep the domain serving normal content and the classification settles, or ask blocking admins to permit it in the meantime.

Stop it recurring

Age a new domain with real content before launch and monitor its reputation on Talos and Umbrella, so it isn't flagged as newly-seen or hijacked when traffic starts.

Related errors

Akamai "Access Denied — Reference #18..." (Kona WAF block)

high

Akamai's edge WAF or Bot Manager rejected the request with a 403 and a Reference #18 error ID.

Domain listed on a URI blocklist (SURBL / URIBL)

high

Your domain appears in spam or phishing message bodies, so SURBL or URIBL blocklisted the domain itself.

Blocked by Project Honey Pot http:BL (DNS blacklist)

medium

A site security plugin queried Project Honey Pot's http:BL and blocked the visitor's IP as a flagged threat.

Google Safe Browsing "Deceptive site ahead" warning

critical

Google Safe Browsing flagged the site for phishing or malware, so Chrome shows a full red interstitial before the page loads.