ubiquiti_networks_2016.svg_

Unifi Content Filtering

Share on twitter
Share on linkedin
Share on email

In this post we will take an in-depth look at Unifi content filtering. A good 20%+ of our user base operates on Unifi hardware and as such we often get asked about Unifi features and configurations. In this post we will discuss why ScoutDNS is such a good option for Unifi networks users.

In controller versions 5.9+ and gateway firmware 4.418+ Unifi products started offering internet security settings. One of these settings was focused on content filtering. Initially called “DNS Filters”, which gives us a clue into how it actually filters, the UI now displays this section simply as “Content Filtering”

UDM Pro Internet Security Options
UDM Pro Internet Security Options

It’s worth noting of course that much of this is clearly listed as Beta or in the Content Filtering case, marked as Alpha and should be treated as such. Let’s look at a few of the options and compare to what you might get with ScoutDNS.

Content Filter Options on Unifi

The selection for filter settings is very limited.  Selecting Family Filter or Block Adult will also add the Security blocks as well. There is no way to select specific categories or chose level of safe search or YouTube restrictions. According to Unifi documentation the filtering options are as follows:

Security

Blocks access to phishing, spam, malware, and malicious domains. The database of malicious domains is updated hourly. Note that it does not block adult content.

Block Adult

Blocks access to all adult, pornographic and explicit sites. It does not block proxy or VPNs, nor mixed-content sites. Sites like Reddit are allowed. Google and Bing are set to the “Safe Mode”. Malicious and Phishing domains are blocked.

Family Safe

Blocks access to all adult, pornographic and explicit sites. It also blocks proxy and VPN domains that are used to bypass the filters. Mixed content sites (like Reddit) are also blocked. Google, Bing, and YouTube are set to the Safe Mode. Malicious and Phishing domains are blocked.

content filter

Content Filter Options on ScoutDNS

On ScoutDNS admins have granular control over what is blocked or allowed. Everything from multiple options for Safe Search and Three YouTube modes, to 6 categories of threats,  54 categories of content, and 16 categories of applications. You can find a detailed explanation of the content categories here.

rules form

Allow/Block Lists on Unifi

With Unifi the custom allowing or blocking of domains is very simple, yet cumbersome to manage beyond a few entries. You add entries into either the allow or block line and can remove them later by clicking the “x” next to the domain.

content filter

Allow/Block Lists on ScoutDNS

ScoutDNS offers the ability to have multiple separate Allow/Block lists designed as objects. This means that these Allow/Block lists can be created and assigned to a single or multiple policies allowing admins to manage the impact on any number of networks from a single object.  In addition, any number of lists can be designated “Global” which applies the list to all networks without specification in a policy.

content filter

Top Level Domain Filtering on Unifi

The Unifi UI does allow for specific blocking of top level domains however, as with most vendors, it is a block only option. This makes managing the 1588+ and growing TLDs on the internet today quite cumbersome.

content filter

Top Level Domain Filtering on ScoutDNS

Security is the largest focus for us at ScoutDNS and we believe in filtering by top level domains. We believe in TLD filtering so much in fact that we built and entire module for it along with accompanying rich insights/reporting functionality.

TLD filtering on ScoutDNS works similar to our Allow/Block list in that they are created as a custom list object and then can be assigned at the policy level. The biggest difference in how we manage TLDs and all other providers is that we give the option to block all and allow some, versus allow all and block some. This allows a sort of zero trust TLD management for networks. The fact that over 1588+ TLDs exist with new ones added every year, and that a large percentage of known and unknown threats occur outside the traditional .com/.nets of the web, managing TLDs by permitted lists allows admins to easily enable only the top level domains needed for their business use case.

DNS

Content Level Reporting on Unifi

There is none.

Content Level Reporting on ScoutDNS

We are proud to offer some of the deepest and most insightful reporting in our market. In additional to our detailed activity log that allows the search and export of all log queries for 30 days (well beyond most of our competitors), we introduced our Insights data views earlier this year

Domain Insights

The Domains insights subtab allows admins to view up to an industry leading 1000 accessed unique domains over the selected time frame dating back up to 30 days. A number of different filtering options can be applied to sort and view only the data needed.  From this view domains can be added to allow/block list with two clicks or admins can drill down to correlated log data where they can even inspect any single query for the full RDATA and message response.

block top level domain

Category Insights

With the categories insights view, admins see all activity aggerated by their recognized categories.  From here a user can drill down to view the specific domains  or log data that make up the selected category. Further drill down to query data is also enabled in this view.

TLD

TLD Insights

Remember when we said we were serious about managing activity by Top Level Domains? Here, the TLD insights tab allows admins to view all internet data for the chosen time period aggregated by TLD.

TLD

As with all of our insights tab, further drill down allows admins to inspect any activity in greater detail. In this example, the admin chose to drill down and view all unique domains that made up the .to top level domains.

TLD

Record Type Insights

This insights subtab allows admins to monitor and drill down into all DNS query activity grouped by their Record Type. This is a key view for monitoring expected and unexpected DNS layer activity. Are you hosting an unknown mail server that is generating MX requests? Do you have data exfiltration going on using large numbers of TXT requests? As with the rest of our views, admins can drill down to the specific domains, log data, and view the queries to get more detail. Are these TXT type records malicious or just harmless SPF records? With ScoutDNS you will know.

DNS

 

Multi Site vs. Single Site Options

With Unifi, you can manage multiple controllers from a single login, but there is no unified dashboard, reporting or policy duplication and as such this is not a very practical use case where the admin needs to manage more than one location. With ScoutDNS admins can easily manage and monitor a single or thousands of networks/locations and make related changes with ease using our object base configurations.

Summary

All in all the options for Unifi content filtering are best suited for home network use, or users who do not need granular control and reporting. Network admins will likely prefer something more robust and complete like we provide here at ScoutDNS.

More To Explore

REvil C2 Domains

Kaseya REvil C2 Domain List

The number of infected devices and networks from the Kaseya REvil supply chain attack continue to mount. We have parsed out the complete list of domains

Have any questions? Just Ask