Currently, DNS Filter does not block any content servers unless you add them to a block list. This means that if you create a policy, block everything that you can and set up an allow list, these contents servers will not be blocked. That is not a TRUE allow list. If an allow list is set, all other domains, no matter what category they are in, should be blocked. Period.