NIOS-X with DFP and Infoblox Endpoint can honour “Allow - Local Resolution” for Application Custom List on Security Policy. DFP MUST have a fallback resolver configured. This is because the list of applications isn't put into the DNS config file but the DFP config file and the DFP can't send the query back to the DNS server. So to honour “Allow - Local Resolution”, the DFP must have a DNS server it can forward to (i.e. the fallback resolver)

Infoblox Endpoint can also honour this setting.

NIOS cannot honour this setting and ignores it.

DoH cannot honour this setting and ignores it.

External Networks cannot honour this setting and ignores it.

Note: When you configure a rule in a security policy for an application based custom filter with action set to “Allow - Local Resolution”, then its position in the security policy makes no different when it is implemented by NIOS-X and/or Infoblox Endpoint. This is because NIOS-X and Endpoint will apply the “Local Resolution” policy locally before the query can reach the cloud based security policy. Any application “block” action will only apply that action once it reaches the cloud. There is no “Block Locally” option because anything that isn't explicitly told to resolve locally will go to cloud.

Infoblox Threat Defense (cloud) can identify application usage. You can find out the exact domains but configuring “Allow - Local Resolution” for an application custom list in a security policy, apply to an endpoint and then look at the corefile.4 config.

0.facebook.com 
api.facebook.com
apps.facebook.com
b-api.facebook.com
channel.facebook.com
chat.facebook.com
edge-chat.facebook.com
gateway.facebook.com
graph.facebook.com
lookaside.fbsbx.com
m.facebook.com
mqtt.facebook.com
mqtt.t.facebook.com
orcart.facebook.com
pixel.facebook.com
s-static.ak.facebook.com
star-mini.c10r.facebook.com
star.c10r.facebook.com
star.facebook.com
static.ak.facebook.com
touch.facebook.com
upload.facebook.com
vupload2.facebook.com
vupload2.t.facebook.com
web-chat-e2ee.facebook.com

appsforoffice.microsoft.com.edgekey.net
attachments.office.net
consumer-licensing-aks2aks.md.mp.microsoft.com.akadns.net
cxcs.microsoft.net.edgekey.net
displaycatalog-rp.md.mp.microsoft.com.akadns.net
docs.microsoft.com-c.edgekey.net
docs.microsoft.com-c.edgekey.net.globalredir.akadns.net
download.microsoft.com.edgekey.net
fe2.update.msft.com.trafficmanager.net
fe2cr.update.msft.com.trafficmanager.net
fs-wildcard.microsoft.com.edgekey.net
fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
geover.prod.do.dsp.mp.microsoft.com.edgekey.net
go.microsoft.com.edgekey.net
login.microsoftonline.com
privacy.microsoft.com.edgekey.net
prod-video-cms-rt-microsoft-com.akamaized.net
prod.configsvc1.live.com.akadns.net
prod.fs.microsoft.com.akadns.net
prod.mrodevicemgr.live.com.akadns.net
prod.nexusrules.live.com.akadns.net
prod.ocws1.live.com.akadns.net
prod.odcsm1.live.com.akadns.net
prod.ols.live.com.akadns.net
prod.omexmessaginglfb.live.com.akadns.net
prod.pptsgs.live.com.akadns.net
prod.roaming1.live.com.akadns.net
prodstack.support.microsoft.com.edgekey.net
purchase.md.mp.microsoft.com.akadns.net
r1.res.office365.com
r3.res.office365.com
r4.res.office365.com
smtp.office365.com
statics-marketingsites-wcus-ms-com.akamaized.net
storecatalogrevocation.storequality.microsoft.com.edgekey.net
www.icloud.com-v1.edgekey.net
www.microsoft.com-c-3.edgekey.net
www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

deepseek.com