Morning all. I have a client that is wanting to block streaming services at the office, and I’ve purchased a UCG Ultra to replace a really old EdgeRouter to see if I can get that accomplished for them. I’ve been told that since their domain controller is running DHCP (and not their EdgeRouter), that the content filtering won’t work when I setup the Ultra. Does this sound right to you guys? I know I can move DHCP, but I’m not sure how many devices might break if I do. Thanks!
1 Like
It is 2 fold. DNS and DHCP.
This is not true. You can setup DHCP relay.
Secondly you can use the IP of the network as an upstream DNS server the Active Directory DNS. Because windows heavily uses DNS for AD.
Another thought is you could install adguard, pi-hole or a different DNS filtering server on-premises. That way you don’t have to use a different firewall to get the same results. Unless you have other plans by switching to UniFi.
2 Likes
Thank you for the reply, really appreciate it. Truthfully, I just want the simplest solution to be able to block streaming services without disrupting the current environment. I don’t mind continuing to install the Ultra as they have 6 WAP’s I can move over to it from a cloud key and its better technology than they have now. So, for me to figure out the least complex way to block streaming is my main purpose now.
There are more than one way to this, so simplest solution is a bit subjective.
You can have your Internal DNS servers point to your Ultra for outside DNS requests (relay as xMaximusx is suggesting.
another route is to make your Ultra the DHCP server and Primary DNS.
On the ultra you can use a DNS rule to have all your local DNS requests go to your internal DNS server for resolution
So you can keep your DHCP server as is (Windows assuming, just have the windows DNS servers point to your ultra ONLY then the rules will apply to requests)
1 Like
It depends on which devices you want to block. I block content on AD-managed devices using our EDR solution, Bitdefender. If they want to block content on Wi-Fi devices connected to their network, the UCG Ultra will do the job. Just don’t forget to block Private Relay DNS and DNS over HTTPS as well, because without blocking those, DNS-based filtering will not work.
When it comes to AD-managed devices, I get much better results blocking content using EDR on company devices. Since it runs directly on the device, the blocking works very well—even when users are connected to another Wi-Fi network or working remotely. The EDR will consistently block specific sites regardless of the network being used.