Organizations implementing DNS-based content filtering must account for both IPv4 and IPv6 protocols. Failing to configure IPv6 DNS settings can create security gaps that allow users to bypass your filtering entirely.

What is IPv6?

IPv6 is the successor protocol to IPv4, developed because the pool of available IPv4 addresses was becoming exhausted. Introduced in 1998, IPv6 adoption remained sluggish for decades but is now accelerating as modern devices ship with IPv6 enabled by default.

The two protocols use different address formats:

• IPv4 example: 185.228.168.168
• IPv6 example: 2a0d:2a00:0001:0000:0000:0000:0000:0000

How IPv6 Creates Filtering Gaps

Many network administrators configure only IPv4 DNS values while omitting IPv6 settings. When devices, routers, and ISPs support IPv6, this oversight allows DNS queries to travel through unfiltered IPv6 channels. Even if you have configured your IPv4 primary DNS to point to a filtering service like CleanBrowsing (e.g., 185.228.168.168), those filters become ineffective for any traffic routed over IPv6.

Three Conditions Required for Bypass

For IPv6 to bypass your content filtering, three conditions must be met simultaneously:

• Devices must support IPv6. This is now standard on mobile devices, gaming consoles, and desktop systems.
• Routers must support IPv6 routing. Many manufacturers still lag in their IPv6 implementation.
• ISPs must provide IPv6 routing support. This is identified as the most significant obstacle, but adoption is growing.

Solution 1: Disable IPv6

The simplest approach is to disable IPv6 on your network entirely. This can be done at the device level (Windows, macOS, Linux) or at the router level, depending on your setup. While effective, this is not a future-proof solution as IPv6 adoption continues to grow.

Solution 2: Configure IPv6 DNS

The recommended approach is to deploy IPv6 DNS addresses alongside your IPv4 values. CleanBrowsing provides IPv6 addresses for both free and paid accounts specifically for this purpose. By configuring both IPv4 and IPv6 DNS settings to point to your filtering service, you close the gap and ensure comprehensive coverage.

Testing Your Configuration

If you are experiencing unexplained filtering failures, use a free IPv6 test scanner at test-ipv6.com to diagnose whether IPv6 traffic is bypassing your filters. This simple test can quickly reveal whether your network is routing traffic through unfiltered IPv6 channels.