For network deployments with dynamic domains host names there should be a prompt for those domains to be added to whitelists in different policies when they are added to a site.

It makes sense for the top level domains for these networks to be blocked by DNS Filter since hackers use these same tools. But at the same same time they do have legitimate use cases.