> ## Documentation Index
> Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# DNS Content Filtering

> Create DNS policies that combine category filtering, SafeSearch enforcement, and domain allow or block lists.

DNS Content Filtering lets you control browsing behavior across managed sites without hand-editing DNS rules on each router. A policy can combine category controls, SafeSearch settings, and explicit domain lists.

## Prerequisites

* You have access to the team that owns the target sites.
* The sites you want to protect are online and managed by SDX.
* You know whether the policy should apply broadly or only to tagged site groups.

## Policy Structure

DNS policies are built from three main areas.

<CardGroup cols={3}>
  <Card title="Categories" icon="tags">
    Choose content and application categories to block. Adult content can be controlled separately from other categories.
  </Card>

  <Card title="SafeSearch" icon="search-check">
    Select the search engines where SDX should enforce safer search behavior.
  </Card>

  <Card title="Domains" icon="globe-lock">
    Add explicit domain allow-list or block-list entries when a category alone is too broad.
  </Card>
</CardGroup>

Domain lists are useful for exceptions. For example, you can block a broad category while allowing a required business domain inside that category, or you can block a specific domain that is not covered by a category.

<Warning>
  DNS-over-HTTPS and DNS-over-TLS can let clients bypass DNS controls if the network allows them. If you enable DoH or DoT blocking, validate the result with your endpoint and network teams because it can affect public DNS clients and privacy tooling.
</Warning>

## Create a DNS Policy

1. Open **Policies** and select **Content Filtering**.
2. Create a policy with a clear name that describes its purpose, such as `Branch Standard` or `Guest Wi-Fi Strict`.
3. Select the categories you want to block.
4. Configure SafeSearch for supported search engines.
5. Add domain allow-list or block-list entries for precise exceptions.
6. Attach the policy to the sites that should use it.
7. Monitor user reports and site health after the change.

## Advanced Use Cases

Use multiple policies when one audience should have a different browsing posture from another. For example, guest networks, staff networks, and education environments often need different category and domain choices.

Use site tags to keep assignments maintainable. Instead of attaching a policy to every site manually, group sites with tags such as `environment:guest`, `region:apac`, or `site-type:school`, then apply the policy consistently to that group.

## Validation

After you attach a policy, test from a client behind the target site.

1. Confirm blocked categories fail as expected.
2. Confirm allowed business domains still resolve.
3. Confirm SafeSearch behavior in the selected search engines.
4. Watch [Fault Logging](../monitoring/fault-logging) and user reports for unintended impact.

<Tip>
  Pair DNS Content Filtering with [Security Essentials](./bgp-threat-mitigation) when you need both web category control and network-layer threat mitigation.
</Tip>