Schools and libraries that receive E-Rate funding are required by the Children's Internet Protection Act (CIPA) to have a technology protection measure in place that blocks obscene content, child pornography, and material harmful to minors. The stakes are real: failure to certify compliance means losing access to E-Rate discounts that can cover 20% to 90% of your institution's internet costs. DNS filtering satisfies the technology requirement, and it does it without software on every device, without enterprise pricing, and without a complex deployment.

This article covers what CIPA actually requires, why DNS filtering is the right technical approach for K-12 environments, and how to deploy it across a school network including take-home devices.

What CIPA Requires

CIPA has six requirements for schools and libraries receiving E-Rate discounts or LSTA grants. They fall into two categories: what you must implement technically and what you must document and teach.

The technical requirements:

• A technology protection measure that blocks visual depictions of obscene content, child pornography, and content harmful to minors on any computer with internet access
• Monitoring of minors' online activity (schools only, not libraries)
• The ability for an authorized administrator to disable filters for adults conducting bona fide research or other lawful purposes

The policy requirements:

• A written Internet Safety Policy formally adopted at a public meeting, covering monitoring, communications safety, unauthorized access, and personal information disclosure
• Public notice and a hearing before adopting that policy
• Digital citizenship education for students covering appropriate online behavior and cyberbullying awareness (added in the 2011 update)

The technology protection measure is what DNS filtering addresses directly. The law does not specify what technology you must use. It only requires that it blocks the defined categories. For a full breakdown of all six requirements, documentation guidance, and an interactive checklist, see our CIPA compliance guide.

Why DNS Filtering Is the Right Technical Approach for Schools

DNS filtering works by intercepting DNS lookups before a connection is made. When a student's device tries to reach a blocked domain, the resolver returns no valid address and the connection stops. This happens at the network level, before any content loads, and it applies to every device on the network regardless of operating system, browser, or whether the student has admin access to their device.

For K-12 environments, this architecture has three specific advantages over client-side filtering software:

• Device independence. A single DNS configuration at the router or firewall covers laptops, Chromebooks, tablets, phones, and any other device on the network. You are not installing and maintaining software on hundreds of individual devices.
• No performance impact. DNS filtering resolves in milliseconds. Students do not experience slower browsing, and you do not need to route traffic through a proxy or gateway that can become a bottleneck.
• Covers BYOD automatically. Any device that connects to your school network uses your DNS, including personal devices students bring from home. Network-level filtering protects the connection, not just school-issued hardware.

CleanBrowsing is trusted by 10,000+ schools and educational institutions worldwide, including K-12 districts, charter schools, and universities. Predefined content categories for adult content, pornography, malware, and phishing map directly to what CIPA requires. You can layer additional categories on top, such as social media, gaming, VPNs, and AI chatbots, based on your acceptable use policy.

Handling Take-Home and Off-Campus Devices

Network-level DNS filtering covers every device on your school Wi-Fi. For 1:1 programs where devices leave campus, you need an additional layer to maintain CIPA compliance off-network. CleanBrowsing supports all major device types:

• Windows laptops: The CleanBrowsing Windows app enforces DNS filtering on any network the device connects to, including home broadband and cellular hotspots. It supports silent deployment via Microsoft Intune for managed 1:1 programs and includes browser DoH lockdown so students cannot bypass filtering through Chrome or Edge's built-in encrypted DNS.
• Chromebooks: Managed via Google Admin Console. Configure CleanBrowsing's DNS resolvers in the network settings for your school's managed Chromebook policies. For DoH enforcement, use the Google Workspace Chrome DoH guide.
• iOS and macOS devices: Install a DNS configuration profile using the Apple DNS Configurator. The profile applies system-wide filtering and follows the device off campus, including on cellular connections.
• Android devices: Use the CleanBrowsing Android app or configure Private DNS in the device management profile for organization-managed devices.

For a complete deployment walkthrough covering all device types and MDM integrations, see the IT admin deployment guide.

Per-Grade Filtering and Staff Override

CIPA applies differently to adults and minors. Schools must allow authorized adults to disable or adjust filters for bona fide research or other lawful purposes. CleanBrowsing handles this through filter profiles. You create a staff profile with appropriate access and a student profile with CIPA-compliant restrictions, then assign each to the relevant network segment or device group.

This same system supports grade-level differentiation. Elementary school devices can have stricter restrictions than high school devices. Scheduling adds another layer: student profiles can tighten filtering during school hours and relax restrictions after 3pm automatically. Content schedules run without manual intervention once configured.

SafeSearch Enforcement

CIPA-compliant filtering should extend to search results. A student who cannot access an adult site directly should also not be able to find adult content through a search engine. CleanBrowsing enforces SafeSearch on Google, Bing, YouTube, and other platforms at the DNS level. This is not dependent on browser settings the student can change. It also covers YouTube Restricted Mode, which limits access to age-inappropriate video content.

Controlling AI Tools and Academic Fraud

Academic dishonesty has a DNS footprint. Essay mills and contract cheating sites have existed for years, and CleanBrowsing's Academic Fraud category blocks them, covering sites that sell essay writing, homework completion, and similar services. That was the primary threat a few years ago. Today the more common path is a student opening ChatGPT, Gemini, or a similar tool and having it write the assignment directly.

CleanBrowsing's Artificial Intelligence category blocks AI content and image generation tools at the DNS level, including ChatGPT and similar platforms. Used alongside the Academic Fraud category, it gives IT administrators a complete DNS-level response to both sides of the academic integrity problem: the services that sell completed work and the AI tools used to generate it.

Whether to enable these categories is a policy decision, not a technical one. Some schools block AI tools entirely during school hours. Others allow access on teacher-supervised networks but block it on student device profiles. CleanBrowsing's profile system and scheduling make both approaches straightforward to implement. The relevant point for CIPA purposes is that your Internet Safety Policy should explicitly address AI tools and academic fraud. If your policy restricts them, DNS filtering is how you enforce it technically.

Both the Academic Fraud and Artificial Intelligence categories are currently in beta. See the full filter categories page for the current list of available categories and their status.

Blocking Filter Bypasses

Students are resourceful. A well-deployed CIPA-compliant setup accounts for common bypass methods. For a full breakdown specific to K-12 environments, see how kids bypass filters and the filter bypass prevention guide. The most common vectors to address:

• VPNs and proxies: CleanBrowsing's VPN and proxy categories block the most common circumvention tools. See the VPN blocking guide.
• Browser-level encrypted DNS (DoH): Chrome, Firefox, and Edge include built-in DNS-over-HTTPS that bypasses network-level filtering entirely if left enabled. The Windows app handles this automatically through browser DoH lockdown. For network-only deployments, the DoH blocking guide covers policy-based disablement.
• Tor and anonymization tools: The Tor blocking guide covers DNS-level blocking of known Tor infrastructure.
• Firewall-level bypass prevention: For IT administrators managing school firewalls, the firewall DNS bypass guide covers network-level enforcement to prevent rogue DNS queries from reaching external resolvers entirely.

Bypass prevention is not a CIPA requirement, but it is the difference between filtering that works and filtering that looks good on paper. A student who gets around your filters does not change your compliance status on paper, but it does put real students in front of content your policy prohibits.

Monitoring to Satisfy the CIPA Requirement

Schools (not libraries) are required to monitor minors' online activity. DNS activity monitoring in CleanBrowsing's dashboard shows every DNS query, blocked request, and filtering event across your network. Administrators can filter by profile, network, or time range to identify patterns or investigate specific incidents. For compliance-ready logging with longer data retention, DNS log forwarding to Trunc provides a searchable audit trail suitable for documentation purposes.

Pricing for Schools

CleanBrowsing offers school-specific plans sized by student population:

• Basic: $300/year for up to 100 students
• Midsize: $600/year for up to 500 students
• Large: $750/year for up to 1,000 students
• Custom: Contact us for districts with 1,000+ students

All school plans include encrypted DNS protocols, 19+ predefined content filters, custom allow/block lists, device profiles, activity monitoring, and data retention controls. See the schools page for current details or contact us for district-level deployments.