In this article
This article is an in-depth look at each deployment option, their advantages and considerations, and best use cases. DNSFilter offers three deployment options to mix and match to meet your filtering and reporting needs.
Ready to set up DNSFilter on your network? See our get started guide for details!
Moving to DNSFilter from another filtering service? Our team wrote up onboarding materials for migrating to DNSFilter that can help streamline the process!
Network Forwarding
This is the easiest way to set up a network to use DNSFilter.
Network Forwarding provides a blanket policy that covers all your devices including printers, files servers, and any other node on your network.
It involves changing the network forward settings for DNS to point to one of our anycast IPs (103.247.36.36 and 103.247.37.37). This can be done at the firewall, router, or modem level (whatever handles outbound traffic).
This will cause a portion or all of the network devices to be filtered by DNSFilter. For example, if you're using multiple firewalls/routers but only configure some to point to DNSFilter, it will only impact that part of the network.
This deployment option is useful in scenarios where you have no control over the user’s endpoint and can’t install software, e.g. guest Wi-Fi. You can still apply filtering policies even though you have no control over the device.
✅ Advantages |
⛔ Considerations |
✅ Simple deployment: no software required |
⛔ Limited to one Filtering Policy (7 with NAT IPs) per network |
✅ Provides complete coverage of Local Area Network (LAN) devices |
⛔ Reporting is limited to the wide-area network (WAN) level |
⚡️Pro Tip: Where our reporting is limited to the WAN level, many firewalls have reporting capabilities that can offer device-specific data. Using this additional resource can help monitor networks to pin point user traffic when troubleshooting filtering policies. Check your manufacturer's documentation for capability details.
Roaming Client
Roaming Clients are lightweight software that bind to the network adapter on the device and proxies DNS traffic to our servers, offering off site protection and filtering and reporting granularity down to the device and user level.
Administrators can assign specific policies to a device, user, or group of users that follows them everywhere: no matter what device they’re on. You can easily change policies for large groups of computers using tags. Tag use cases include: teachers/students, corporate departments, public/private computers, etc.
Roaming Clients can be deployed using Remote Software Management and Monitoring tools (RMMs) like Microsoft Intune (Microsoft Endpoint Manager) or installed per device.
If you’re data-minded, Roaming Clients offer per-user and per-device data, like your Entra ID (formerly Active Directory) domain controller. To compare, Network Forwarding offers aggregate data–the whole network–and Relays tie data to specific IP addresses.
Speaking of Entra ID: DNSFilter integrates seamlessly with Entra ID using a hybrid deployment setup.
✅ Advantages |
⛔ Considerations |
✅ Available for all major platforms (Windows, Mac, iOS, Android, Chromebook) |
⛔ Requires software installation |
✅ Provides per-device/user reporting |
|
✅ Off site protection for roaming users |
Relay
A Relay is a local DNS relay software that applies Filtering Policies by IP or subnet on the network.
It is a middleware that manages traffic within the system and determines whether to send DNS queries outbound to the public internet, where they are filtered by us, or to a local DNS resolver.
Since the Relay acts as the "middle man," DNS traffic will hit the relay, then decide where to send the request by making a binary decision and stating that it is either a "local query" (printer.lan) or a "website.com" request.
✅ Advantages |
⛔ Considerations |
✅ Filters by IP or subnet |
⛔ Requires machine (physical or virtual) or docker to run with high availability |
✅ Provides per-machine reporting |
⛔ Does not provide user-level filtering or user-level reporting like the Roaming Client |
Comments
0 comments
Article is closed for comments.