Troubleshoot DNS Destination Lists

When you add a malformed destination or unsupported type of destination to a DNS destination list, you may encounter an error condition. In most cases, Secure Access displays an error message that describes the reasons for the error condition.

DNS destination lists support the following destination types:

Fully-qualified domain name (FQDN)
IP address
URL

For more information about DNS destination lists, see Add a Destination List.

DNS Destination Lists and Common Error Conditions

Action	Error Message	Additional Information
Added a URL to an allow list.	URLs in allow lists are not currently supported. Consider adding the domain only instead.	Remove the URL and replace it with the domain for that URL.
Entered a destination that does not match the type and format expected by the destination list.	Invalid Domain, Invalid URL, Invalid IP	Check the format and type of the destination that you added. Enter the correct format of the destination.
Added a URL that has an error in the domain, path, or query.	Check to confirm that the URL was entered correctly.	Secure Access requires that URLs follow RFC-3986 Uniform Resource Identifier (URI): Generic Syntax. Check the characters in the URL. Check the composition of the URL. You can add a partial URL to leverage right-side wildcarding. For more information, see Control Access to Custom URLs.
Added a URL that is found in a high-volume domain list.	The URL belongs to a domain that does not present a security concern, but if proxied may impact Secure Access performance. Instead, consider adding only the domain.	If you do not trust the destination, consider blocking the domain. Generally, high-volume domains do not present a security risk and do not require additional inspection.
Added a destination that is found in the protected allow list.	The supplied destination matches the Secure Access global allow list and cannot be saved.	Destinations in the protected allow list either host services other than HTTP or are critical to Secure Access operations. Secure Access only proxies services that use HTTP. If the error occurs when you add a URL and you don't trust the destination, consider blocking the domain. If you are not sure why the destination is considered protected, contact support.
Entered a URL that contains non-ASCII characters.	Only ASCII characters can be used for defining URLs. Invalid URL.	Try percent-encoding the URL or block the domain.
Uploaded a list of destinations in which at least one of the URLs or domains contains an error.	There was an issue with one or more of the destinations in the uploaded list.	A bulk upload error message. Secure Access provides a link to the list of destinations that were not added from the uploaded destination list. Correct or remove the destinations from your bulk upload list and try again. Secure Access does not add destinations from an uploaded destination list unless all of the destinations are accepted.
Entered a destination that is not accepted by Secure Access.	Invalid destination.	A generic error message. Entered a destination that is not accepted by Secure Access. You have encountered an error condition that is not categorized by Secure Access. We recommend that you contact Support.
Entered a destination that matches a destination in an existing destination list.	This destination already exists in the destination list.	Secure Access does not add a destination that already appears in a destination list.

Add Punycode Domain Name to Destination List < Troubleshoot DNS Destination Lists > Manage AAA Servers