How to block websites on your UniFi Network

Sometimes you just need to block a few sites. Whether it’s Facebook in the office or adult sites at home, UniFi gives you a few tools to manage what users can and can’t access.

You don’t need expensive firewalls or a third-party DNS filter to make it work either. It’s all baked into UniFi if you know where to look.

Let's dive in !!

Before we dive in, please don't self-host your UniFi Controller if you take care of client networks. Sooner or later this will cause issues! It's fine for home users, but definitely not recommended for IT service businesses and MSPs. If you want secure, reliable and a scalable hosting solution check out UniHosted. )

So, can UniFi block websites?

Yes, and there are three main ways to do it:

  1. Using firewall rules
  2. DNS filtering (with custom DNS or DNS redirect)
  3. Application identification via Deep Packet Inspection (DPI)

Each method works slightly differently, and which one you choose depends on what you’re trying to block and how much control you want.

Method 1: Blocking websites using firewall rules

This is the most direct method. You’ll be telling UniFi to block traffic to specific IP addresses or subnets.

How to do it:

  1. Log in to your UniFi Controller.
  2. Go to Settings > Security > Internet Threat Management > Firewall.
  3. Under Internet In or LAN In, click Create New Rule.
  4. Set the rule to Block.
  5. Add the destination IP or FQDN of the site you want to block.
  6. Apply it to the appropriate network or VLAN.
  7. Save and apply changes.

Pros:

  • Precise control
  • Works instantly

Cons:

  • Websites can change IPs (so rules may break)
  • Doesn’t work well with content delivery networks (CDNs)

Method 2: Blocking with DNS filtering

This is the cleaner way for most people. You block websites by intercepting DNS requests and refusing to resolve them.

There are two ways to do this:

Option A: Use a filtered DNS service (like OpenDNS or NextDNS)

  1. Sign up for a DNS filter (OpenDNS is free).
  2. Add their DNS IPs to your network config under Settings > Networks.
  3. Block users from changing DNS manually by creating a firewall rule to drop DNS queries not going to your trusted server.

Option B: Redirect DNS traffic to your preferred DNS

  1. Create a firewall rule to redirect all port 53 (DNS) traffic to your chosen DNS IP.
  2. Use UniFi’s network settings to lock in a DNS provider with filtering enabled.

Pros:

  • Easy to manage
  • Blocks new domains as filters update
  • Doesn't require per-site rule creation

Cons:

  • Users can bypass it if they're on a VPN
  • Won’t block by IP address directly

Method 3: Using DPI and application blocking

If you’re using a UniFi Security Gateway or Dream Machine, DPI lets you block based on traffic type.

Steps:

  1. Go to Settings > Traffic & Security > Traffic Identification.
  2. Enable DPI.
  3. Go to Settings > Traffic & Security > Firewall & Security > Application Control.
  4. Add apps or domains to block, like social media, adult content, or video streaming.

This isn’t perfect, but it’s easier than building dozens of manual rules.

Pros:

  • Blocks entire categories (not just sites)
  • Works across all devices
  • Easy to apply to guest VLANs

Cons:

  • Not super granular
  • Can break legit services if overused

Tips for blocking websites properly

  • Use VLANs to isolate guest traffic or kids' devices. Apply filtering to that VLAN only.
  • Test before rolling out, some apps break when domains are blocked.
  • Add logging to firewall rules so you can see what’s being blocked.
  • Combine DNS and DPI for stronger results. DNS for broad categories, DPI for known apps.

Common use cases

Blocking adult content

Use DNS filtering with OpenDNS and choose the “family shield” preset. No manual config needed.

Blocking YouTube or Netflix at work

Use DPI to block streaming categories. You can also block youtube.com with a DNS rule or redirect.

Limiting social media during work hours

Use time-based firewall rules. Set up two rules:

  • Rule 1: Block Facebook/Twitter during 8am–5pm
  • Rule 2: Allow after hours

Parental controls at home

Put kids’ devices on their own VLAN, use DNS filtering + firewall rules to block explicit content, and log activity.

Gotchas to watch out for

  • Mobile apps often bypass DNS by hardcoding IPs or using DNS over HTTPS.
  • VPNs break everything, users can route traffic through another network.
  • HTTPS traffic can hide domain names, especially if you’re not intercepting SSL (which UniFi doesn’t do).

For these reasons, website blocking on UniFi is good for casual control, not hardcore enterprise security.

Extra: Using external tools

If you want tighter control:

  • NextDNS: Great logs, easy to use, and supports client-based filtering.
  • Pi-hole: Blocks ads and domains at DNS level. Can run on a Raspberry Pi.
  • pfSense: More advanced firewall with content filtering plugins.

You can route your UniFi network’s DNS through any of these for stronger filtering without touching individual devices.

Final thoughts

UniFi gives you solid tools for basic website blocking, whether that’s for your office, kids, or guest networks. You can use firewall rules for exact blocks, DNS filtering for categories, and DPI to block entire app types.

It’s not bulletproof, and it won’t stop a tech-savvy user from getting around it. But it works well for most setups, especially when combined with proper network segmentation and a bit of DNS control.

And if you manage this stuff for clients, don’t self-host the controller. We run hosted UniFi controllers at UniHosted so you don’t have to mess with updates, backups, or access issues. It’s faster, easier, and just plain better.