Documentation

Migrating from DNSFilter to Control D

Working Model

Most DNS filtering migrations are a concept-mapping exercise. For each policy in the old platform, create the equivalent Control D Profile, recreate the broad filters, import the allow/block exceptions as Custom Rules, then attach that Profile to the right Control D Endpoints.

DNSFilter to Control D: Concept Map

DNSFilter ConceptWhat It Means in DNSFilterControl D Equivalent
Filtering PolicyThe cloud policy that controls categories, threats, AppAware, privacy settings, allow lists, block lists, Labs, and schedules. DNSFilter says policies can be applied to Sites, Relays, Roaming Clients, Collections, and Users.Control D Profile. Profiles are policies that contain Filters, Services, Custom Rules, and Profile Options. A Profile only takes effect when enforced on an Endpoint.
SiteA DNSFilter container used with Roaming Clients. DNSFilter says Sites connect filtering policies, local domains/resolvers, and DNS query/billing attribution.Usually a Control D Endpoint, or a group of Endpoints, depending on deployment shape. If the DNSFilter Site represents one office/network resolver, create one Endpoint for that network.
Roaming ClientDNSFilter endpoint agent that applies the assigned policy wherever the device connects.Control D Endpoint using the relevant deployment method, for example ctrld, OS profiles, MDM, router, or resolver-based deployment.
Categories / Threats / Privacy / LabsDNSFilter broad blocking toggles.Control D Filters. Enable the closest matching native or third-party Filters inside the matching Profile.
AppAware app blockingDNSFilter app-level domain bundles.Control D Services where there is a matching service. If there is no matching Service, recreate with Custom Rules.
Policy Allow ListPer-policy explicit domains that DNSFilter allows. DNSFilter says Allow Lists always win in its hierarchy.BYPASS Custom Rules in the matching Control D Profile. Custom Rules are evaluated before Services and Filters, so this is the right place for exceptions.
Policy Block ListPer-policy explicit domains that DNSFilter blocks.BLOCK Custom Rules in the matching Control D Profile. Put them in a clearly named folder like "DNSFilter Block List - Policy Name".
Universal Allow / Block ListsDNSFilter blanket lists across all Filtering Policies.Shared/base Control D Profile or shared Custom Rules folder strategy, enforced wherever the global behavior should apply. Keep allow and block lists separate.
Local Domains and ResolversDNSFilter Site-level local DNS handling.Control D Active Directory/local domain handling. Use split horizon DNS or mirror private DNS records with Custom Rules, depending on the environment.

Migration Steps

1. Inventory DNSFilter

  1. Export a list of Filtering Policies.
  2. For each policy, record enabled Categories, Threats, AppAware apps, Privacy settings, Labs options, schedules, and where the policy is applied.
  3. Record Sites, Roaming Clients, Relays, Collections, Users, and any local domains/resolvers.

2. Create One Control D Profile per DNSFilter Filtering Policy

  1. Name it after the original policy, for example DNSFilter Migration - Staff.
  2. If DNSFilter has a global Universal Allow or Block List, create a shared/base Control D Profile or consistent rule folder plan before recreating policy-specific rules.

3. Map Filters

  1. DNSFilter Categories, Threats, and Privacy settings usually map to Control D Filters.
  2. DNSFilter AppAware usually maps to Control D Services where a matching Service exists.
  3. Anything without a clean match becomes a Custom Rule set.
  4. Do not claim a one-to-one category match unless the category names and behavior are close enough. Mark unclear mappings for review.

4. Export DNSFilter Allow/Block Rules

  1. In DNSFilter, export each policy Allow List and Block List as CSV from the policy's Allow List or Block List page.
  2. DNSFilter notes and categories are not included in that export, so keep a screenshot or separate admin note if those matter.
  3. Export Universal Allow and Block Lists separately if used.

5. Normalize Rules for Control D

  1. Convert each CSV to a plain text list, one domain per line.
  2. Strip protocols, paths, quotes, blank rows, notes, and duplicate rows.
  3. Keep allow and block lists separate.
  4. Keep policy-level and universal lists separate.
  5. Control D custom rules require domains or subdomains (FQDNs), not full URLs. Preserve domains and subdomains. Wildcards are supported for broader matches (e.g., *.example.com). Review TLD-only entries carefully before importing.

6. Import into Control D Custom Rules

  1. For DNSFilter Allow Lists, create BYPASS Custom Rules.
  2. For DNSFilter Block Lists, create BLOCK Custom Rules.
  3. Put rules in named folders so marketing/support can explain the migration cleanly later, for example DNSFilter Allow List - Staff and DNSFilter Block List - Staff.

7. Create or Assign Control D Endpoints

  1. For each DNSFilter Site or Roaming Client deployment group, create the matching Control D Endpoint(s