Content and Domain Filtering in UniFi

UniFi Gateways offer content filtering to block access to malicious, explicit, and inappropriate websites across your network. This is a DNS-level feature that can be flexibly applied to specific VLANs or client devices. 

For a full overview of UniFi’s Traffic and Policy Management capabilities, see here.

For a full overview of UniFi's Network and Cyber Security capabilities, see here.

Configuring Content Filtering

1. Navigate to Content Filtering: Settings > CyberSecure > Content Filter. 
2. Create Name: Assign a name to the policy.
3. Select Source: Apply the policy to specific Networks and/or client Devices.
4. (Optional) Enable Ad Blocking: Uses UniFi's internal database to block domains known to be associated with ads.
5. (Optional) Enable Safe Search: Take advantage of the Safe Search feature integrated with Google, Bing, and/or YouTube, designed to block explicit content.
6. Select Filtering Policy
   1. Off
   2. Basic: A pre-defined configuration used to block content associated with malicious, explicit, or adult domains.
   3. Enhanced: An advanced filtering solution powered by Cloudflare, offering 100+ category-based filters managed by their industry-leading security team. Ideal for professional and enterprise environments requiring strict policy enforcement or compliance-driven controls. For more information, see CyberSecure Enhanced by Proofpoint and Cloudflare.
7. (Optional) Create Allowlist and Blocklist
   1. Allowlist: Use this to whitelist a domain that would otherwise be blocked by an above filtering policy.
   2. Blocklist: Use this to block additional domains that are not already blocked by an above filtering policy.
8. (Optional) Set a Schedule: Set up a Schedule for when the policy should be applied.

How It Works

Content filtering works by redirecting DNS traffic to the UniFi Gateway for inspection. Requests are compared against internal blocklists (or enhanced category filters), and access is denied before the browser can connect to the site. This mechanism allows filtering without any client-side configuration and is updated automatically.

Note: DNS Shield cannot be used with Content Filtering on UniFi Gateways running version 4.2 and earlier.

Support for Local DNS Resolution

Because content filtering relies on DNS redirection, requests to internal or manually configured DNS servers (such as those used by Active Directory) may fail unless routing is explicitly handled.

The table below summarizes DNS and SNAT requirements based on your topology:

To restore proper resolution of internal DNS zones, follow the steps below.

Creating a DNS Forwarding Rule

1. Navigate to DNS forwarding rules.
   1. Network 9.3: Settings > Policy Engine > DNS.
   2. Network 9.4: Settings > Policy Table.
2. Click:
   1. In Network 9.3: Click Create DNS.
   2. In Network 9.4: Click Create New Policy > Select "DNS".
3. Add a new domain entry:
   1. Domain: Your internal domain (e.g., corp.local)
   2. Target IP: IP address of your domain controller

Creating a Source NAT (SNAT) Rule

Required only for policy-based IPsec or route-based VPNs without VTI addresses.

1. Navigate to NAT section.
   1. Network 9.3: Settings > Policy Engine > NAT.
   2. Network 9.4: Settings > Policy Table.
2. Click:
   1. In Network 9.3: Click Create New > Src. NAT
   2. In Network 9.4 Create New Policy > Select "NAT" > Src. NAT
3. Configure the rule:
   1. Rule Type: Source NAT
   2. Description: e.g., SNAT for DNS to remote DC
   3. Protocol: UDP and TCP
   4. Source IP: Leave blank
   5. Destination IP: IP of the domain controller
   6. Translated IP: IP of the Gateway’s LAN interface
   7. Interface:
      1. For Policy based VPN - use the WAN interface where IPsec is configured
      2. For Route-based VPN - use the Site-to-Site VPN interface

This ensures that return packets from the DNS server can properly reach the Gateway.