Using DNSFilter With Active Directory

Article author
Josh L
  • Updated

Active Directory

Active Directory Sync Tool

With our new Sync Tool you can integrate DNSFilter with your Active Directory, click the link above to learn more about our new features.

DNSFilter can be deployed easily and quickly in your Active Directory environment. However, there are some limitations. Most customers choose to implement a combination of Roaming Clients and DNS forwarding from the Domain Controller to have comprehensive filtering. This article outlines capabilities, limitations, and best practices for using our service in an AD environment.


Capabilities Limitations
✔️ GPO distribution of Roaming Clients 🚫 Limited to Windows OS only
✔️ Per-machine filtering  
✔️ AD Forwarding configuration  
✔️ Per-user logging  
✔️ Per-user filtering  
✔️ OU integration  


Installation Best Practices

Setting up DNSFilter on the Domain Controller

The starting point for using DNSFilter on your Active Directory network is to configure it as an upstream DNS resolver on your Domain Controllers. This will ensure a blanket level of filtering for your entire network. This can be done easily by setting our IPs into Server Manager. A full text and video walkthrough is located here.

Domain Controller Recommended Minimum

4 CPUs and 8GB RAM

Distributing the Roaming Client

Per-device filtering and reporting can be achieved easily by deploying the Windows Roaming Client. The Roaming Client is distributed as an MSI file. Installation can be through a script, or using a Group Policy Object (GPO). By default, Roaming Clients inherit the <> of the network to which they are assigned. You can easily change this to another policy for each machine or for a group. They will then have that policy whether on or off your corporate network.

Tip: We recommend taking advantage of the “tags” system when rolling out the Roaming Client. Using TAGS="tag1,tag2" as a command-line flag, you can set tags at install time which correspond to your user groups in Active Directory, such as “Sales” or “Development”. This will help you to have a similar structure reflected in the dashboard to what you have in Active Directory.

Applying Policies

Once the Roaming Clients are deployed, they will be populated in the Roaming Client management panel. From here, you can mass-select Roaming Clients by tags and then apply filtering policies to them. You can get as granular as desired, even customizing individual policies to apply to each client.


Selecting Roaming Clients by tag

Auditing Queries

Once the Roaming Client is installed on a machine, it will begin logging traffic to the DNSFilter dashboard. By navigating to the Query Log tool, you can filter traffic by Site or by individual machine. Selecting a specific computer will allow you to see a time-stamped log of DNS requests from that specific machine. This is useful for auditing the traffic of your users.

Was this article helpful?

2 out of 6 found this helpful

Have more questions? Submit a request



Please sign in to leave a comment.