Skip to content
MKController

Block Ads on MikroTik — DNS Firewall

Summary

The MKController DNS content filter blocks ads, malware, adult content, and other unwanted categories at the DNS level across your entire MikroTik network — centrally managed, no scripting required, and with a free tier of 100,000 requests per month for all paying customers.

The MKController DNS content filter is a cloud-managed DNS-level blocking service for MikroTik networks. It intercepts DNS queries from devices on your network and blocks any domain that matches your configured categories — before the browser ever makes a connection. No adlist maintenance, no manual IP blocking, no scripting on RouterOS.

This is the same approach used by enterprise-grade DNS security tools (Cisco Umbrella, Cloudflare Gateway), now available as a built-in MKController feature.

How does DNS content filtering compare to other blocking methods on MikroTik?

MethodBlocks atNeeds scriptingPer-site rulesAdlist updatesCentral dashboard
MKController DNS filterDNS layer❌ None✅ Yes✅ Automatic✅ Yes
Manual RouterOS adlistDNS layer✅ Yes⚠️ Manual❌ Manual❌ No
RouterOS firewall rulesIP layer✅ Yes⚠️ Complex❌ Manual❌ No
Layer 7 protocol filterApplication✅ Yes⚠️ Limited❌ Manual❌ No

Why use DNS content filtering?

The DNS content filter lets you block access to unwanted content — inappropriate sites, malware domains, gambling, social media, ads — at the DNS level, without touching individual device firewall rules.

  • Protect children, employees, and customers from harmful or distracting sites
  • Block entire categories (15 categories available, or pick your own)
  • Apply different filter profiles per site, client, or branch
  • Customize the block page with your logo and message

What is a DNS content filter?

When a device tries to visit malware-site.com, it first asks a DNS server: “What is the IP of this domain?” A DNS content filter intercepts that question and, if the domain is on a blocked category list, returns an error instead — the connection never happens. The filter operates at the DNS layer, so it catches every device on the network without any per-device configuration.

How to set up a DNS content filter in MKController

Step 1 — Open the Content Filter menu

Log in at app.mkcontroller.com and click the DNS icon in the left sidebar. First-time users will see an overview — click Next to begin.

Content_Filter_on_MKController

Step 2 — Create your first filter

Click Create Content Filter and give it a name (for example, the client’s name or the filter’s purpose). You can create as many filters as you need — each one can have different rules.

Step1_ContentFilter_on_MKController

Step2_ContentFilter_on_MKController

Step 3 — Choose a protection level

Select the level that matches your use case:

Step3_ContentFilter_on_MKController

LevelCategories blockedBest for
High15 (recommended)Homes, schools, public Wi-Fi
Medium9Workplaces, co-working spaces
Low2Basic malware-only protection
None0Monitoring without blocking
CustomYou chooseISPs building per-client profiles

Scroll down to review all available categories before confirming.

Step4_ContentFilter_on_MKController

Step 4 — Link the filter to a MikroTik device

Go to Devices in the left menu and click Link to connect this filter to one or more adopted MikroTik routers. You control exactly which devices use which filter.

Step5_ContentFilter_on_MKController

Step6_ContentFilter_on_MKController

The system displays the primary and secondary DNS IP addresses to apply on your MikroTik. Click Continue and wait for the success confirmation.

How to create a custom block page

When a device tries to visit a blocked site, you can show your own branded page instead of a generic error.

Step 1 — Go to Block Screen

In the left Content Filter menu, click Block Screen.

Step7_ContentFilter_on_MKController

Step 2 — Upload your logo and message

Enable Header Image to upload your logo and Welcome Text to add a custom message. A live preview shows exactly what users will see.

Step8_ContentFilter_on_MKController

Advanced settings

In Settings (left Content Filter menu) you can fine-tune the filter:

Step9_ContentFilter_on_MKController

  • Category Test — Enter any URL to see which category it falls into
  • Allowed Sites — Whitelist specific domains that bypass filtering regardless of category
  • Denied Sites — Explicitly block domains even if their category is not selected
  • Adjust Categories — Change the protection level or toggle individual categories

Who uses DNS content filtering most?

ISPs building premium Wi-Fi packages — Offer “Safe Browsing” or “Family” Wi-Fi tiers with content filtering as a differentiator. One filter profile per customer segment, managed from a single dashboard.

Schools and libraries — Block adult content, social media, and gaming sites for students. Set a High protection profile and forget about it — the category lists update automatically.

Enterprises and co-working spaces — Keep employees and guests on-task by blocking social media and streaming during business hours, without complex per-device firewall rules.

Add DNS content filtering to your MikroTik network today

Start your free 3-day trial — no credit card required. Create your first filter, link it to a device, and have network-wide DNS blocking active in under 10 minutes.