diff --git a/proxy/filter/blocklists.go b/proxy/filter/blocklists.go
index b6a97fed..59410852 100644
--- a/proxy/filter/blocklists.go
+++ b/proxy/filter/blocklists.go
@@ -48,10 +48,17 @@ func (f *DomainFilter) filterBlocklists(reqCtx *requestcontext.RequestContext, d
 		}
 
 		if reqCtx.PrivacySettings[SUBDOMAINS_RULE] == RULE_BLOCK {
-			// iterate over all subdomains
+			// iterate over all subdomains (excluding TLD and full FQDN)
 			parts := strings.Split(fqdn, ".")
-			for i := range len(parts) - 1 {
-				candidate := strings.Join(parts[i:], ".")
+			var candidate string
+			for i := len(parts) - 2; i >= 0; i-- {
+				// Build candidate incrementally by prepending current part
+				if i == len(parts)-2 {
+					candidate = parts[i] + "." + parts[i+1]
+				} else {
+					candidate = parts[i] + "." + candidate
+				}
+
 				// now, check if candidate domain is part of any blocklist entry
 				blocklisted, err = f.Cache.GetBlocklistEntry(context.Background(), blocklistId, candidate)
 				if err != nil {