DNSFilter Deployment Options

Article author
Fikayo Adepoju
  • Updated

Getting set up with DNSFilter is quick and easy, however, you need to know which deployment option is right for you. DNSFilter has a variety of deployment options available (the most widespread options of any DNS vendor) and you can select the one that best suits your use case.

You can also mix and match the available options depending on your filtering and reporting needs.

In this guide, we will be taking a look at each deployment option, its strengths and limitations, and when you should use it.

Network Forwarding

This is the easiest way to set up your network to use DNSFilter. It involves changing your network forward settings for DNS to point to any of our anycast IPs ( and You can do this at the firewall, router, or modem level (whatever handles your outbound traffic).

This will cause a portion or all of your network devices to be filtered by DNSFilter. For example, if you're using multiple firewalls/routers but only configure some to point to DNSFilter, it will only impact a fraction of your network.

The Network forwarding deployment method is used to provide a blanket policy that will cover all your devices including printers, files servers, and any other node on your network.

This deployment option is very useful in scenarios where you have no control over the user’s endpoint and can’t install software, e.g. guest WiFi. You can still apply filtering policies even though you have no control over a device that is using your network.


  • Simple deployment, no software required
  • Provides complete coverage of LAN devices

Implementation Considerations

  • Limited to one Policy (7 with NAT IPs): You can only apply one policy per network. 
  • Reporting is limited to the WAN level

When to use it

  • As a blanket method in combination with other deployment methods
  • When you don’t need per machine or per user statistics
  • When you only need one policy
  • When nobody you plan to cover is roaming offsite

For setup instructions and configurations using the Network forwarding deployment method, check out our network deployment guide.


Roaming Clients

Roaming Clients are a lightweight piece of software that binds to the network adaptor on the device and proxies DNS traffic over to our servers.

This gives you offsite protection and filtering and reporting granularity down to the device and user level.

You can assign a specific policy to a device, user, group of users and that policy will follow them around. For users, the policy will follow them no matter what device they are on.

Roaming clients can be deployed using Remote Software Management and Monitoring tools (RMMs) like Microsoft Intune (Microsoft Endpoint Manager) or installed per device.

Roaming clients have the least amount of limitations in terms of information. You get per-user and per-device statistics as opposed to forwarding where you only get aggregate statistics and relays where you only get per IP statistics.

Roaming Clients are available for Windows, macOS, Android, iOS, and Chromebook.


  • Available for all major platforms (Windows, Mac, iOS, Android, Chromebook)
  • Gives per device/user reporting
  • Off-site protection for roaming users

Implementation Considerations

  • Requires the installation of software

When to use it

  • When you need off-site protection
  • When you need per-user filtering or reporting

For instructions on how to deploy roaming clients, check out our roaming clients guide. You can also find detailed articles on how to deploy roaming clients for your preferred operating system (Windows, iOS, macOS, Android, Linux).



This is a lightweight local DNS proxy software that allows you to apply filtering policies by IP or subnet on your network.

It's a middleware that handles traffic internally and decides whether or not DNS queries to a local DNS resolver such as your Active Directory domain controller or whether they go outbound to the open internet where they are filtered by us. 

Speaking of Active Directory (AD), DNSFilter integrates seamlessly with AD using a hybrid deployment setup. You can get more details on deploying DNSFilter in your Active directory environment here.

To use a relay, you start by installing the relay software on a dedicated machine, a VM, or by spinning up a Docker image. Once the relay is up and running, you point all your endpoints to the relay first. The relay then decides whether or not it is a local resource that will just pass through or it is an internet query that will be sent to us.

We also have a NAT IP feature that allows you to map up to 7 VLANs in your network to specific filtering policies without the additional hardware or software

When using relays, you maintain internal DNS routing to LAN resources. Thus, you’re not breaking anything internally and you can still access your file servers, printers, and any local network node. Relays are also fully compatible with an Active Directory environment. Nothing changes with your local routing.


  • Filters by IP/Subnet
  • Gives per-machine reporting

Implementation Considerations

  • Requires machine, VM, or docker to run with high availability

When to use it

  • When you need per machine or per IP statistics even on devices you don’t have control over like IoT devices.
  • When you can’t run Roaming Clients on a device
  • If you have a machine (physical or virtual) available to act as a proxy

For details on how to set up and configure relays, check out our relay deployment articles.



Was this article helpful?

1 out of 1 found this helpful

Have more questions? Submit a request



Article is closed for comments.