Skip to main content

Documentation Index

Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt

Use this file to discover all available pages before exploring further.

DNS Content Filtering lets you control browsing behavior across managed sites without hand-editing DNS rules on each router. A policy can combine category controls, SafeSearch settings, and explicit domain lists.

Prerequisites

  • You have access to the team that owns the target sites.
  • The sites you want to protect are online and managed by SDX.
  • You know whether the policy should apply broadly or only to tagged site groups.

Policy Structure

DNS policies are built from three main areas.

Categories

Choose content and application categories to block. Adult content can be controlled separately from other categories.

SafeSearch

Select the search engines where SDX should enforce safer search behavior.

Domains

Add explicit domain allow-list or block-list entries when a category alone is too broad.
Domain lists are useful for exceptions. For example, you can block a broad category while allowing a required business domain inside that category, or you can block a specific domain that is not covered by a category.
DNS-over-HTTPS and DNS-over-TLS can let clients bypass DNS controls if the network allows them. If you enable DoH or DoT blocking, validate the result with your endpoint and network teams because it can affect public DNS clients and privacy tooling.

Create a DNS Policy

  1. Open Policies and select Content Filtering.
  2. Create a policy with a clear name that describes its purpose, such as Branch Standard or Guest Wi-Fi Strict.
  3. Select the categories you want to block.
  4. Configure SafeSearch for supported search engines.
  5. Add domain allow-list or block-list entries for precise exceptions.
  6. Attach the policy to the sites that should use it.
  7. Monitor user reports and site health after the change.

Advanced Use Cases

Use multiple policies when one audience should have a different browsing posture from another. For example, guest networks, staff networks, and education environments often need different category and domain choices. Use site tags to keep assignments maintainable. Instead of attaching a policy to every site manually, group sites with tags such as environment:guest, region:apac, or site-type:school, then apply the policy consistently to that group.

Validation

After you attach a policy, test from a client behind the target site.
  1. Confirm blocked categories fail as expected.
  2. Confirm allowed business domains still resolve.
  3. Confirm SafeSearch behavior in the selected search engines.
  4. Watch Fault Logging and user reports for unintended impact.
Pair DNS Content Filtering with Security Essentials when you need both web category control and network-layer threat mitigation.