Web Filtering best practices

What do you recommend in terms of web filtering. The way my predecessor set things up is that our guest wifi is filtered by a DNS based filter. Using an HP wireless controller.
Currently nothing on staff network/hard wired is filtered… What do you recommend to remedy this?

This is a loaded question and there is no one right answer. Most churches use hardware appliance (like SonicWall) or DNS filtering as you do now.

If you continue with DNS Filtering, you can set for your entire network at your router or your domain controller depending on how your network is configured today. Many people get hung up with DNS and domain controllers. Here is a great resource for explaining how to do this.

Be sure to create a firewall rule for port 53 to limit users from overriding the DNS settings with their own. Also, if using a third party DNS service, do not mix with Google DNS or others as doing so may create cached response issues.

In full disclosure, I created ChurchDNS so this is something we use at my church. We have over 25 churches using it today.

If I needed a specific device to bypass the filtering be it accomplished
via Using DNS to filter how would that work?
I.e. An on prem exchange server

Generally speaking in most cases there would be no issue using on prem exchange with a DNS filter. We have a setting in ChurchDNS to block ALL MX records from client devices which can sometimes be used for malware. This of course would require you to set any on premise mail servers to use a different DNS service or setup a different policy using a second network IP. Another reason some people will bypass DNS filtering for their exchange/mail servers is to limit the data in their DNS filter logs. Bottom line, your exchange server doesn’t really need the filtering (as long as you are not opening emails, or surfing the web on it) so you can bypass if you like, but in most cases it won’t matter if you don’t.

Tim, FYI, churchdns.com seems to be down right now.

The churchdns.com website was down last night a bit due to a major site update.

Fortunately the website has nothing to do with the actual resolver service which is based on a distributed architecture designed for 100% up time. Thx for the heads up nonetheless.

Ah. I was actually going there to check out your offering.

Sorry for the inconvenience. It has been deemed Saturday nights are best for site maintenance. We use a customized plugin in wp that caused havoc in the db when two other plugins were updated.

Feel free to shoot me an email if you have any questions. I’m actually equally interested in all comments negative or positive as we are early on with the platform.