If you use an external dynamic list as a domain allow list, it does not
have precedence over the DNS Security domain policy actions. As a
result, when there is a domain match to an entry in the EDL and a DNS
Security domain category, the action specified under DNS Security is
still applied, even when the EDL is explicitly configured with an action
of Allow. If you want to add DNS domain exceptions, either configure an
EDL with an Alert action or add them to the DNS Domain/FQDN Allow List
located in the DNS Exceptions tab.