CleanBrowsing operates as a DNS resolver offering content filtering services, positioning itself as a DNS-based content filtering platform. In this article, we explore how changing DNS settings affects users and examine the communication hierarchy relevant to content filtering configuration.

The Hierarchy: Router < Devices < Applications

The traditional network hierarchy has evolved significantly. Previously, DNS represented a network and system-level control managed by routers. Today, applications introduce new complexities to this relationship.

The priority hierarchy works as follows:

• Priority 1 — Application: Browsers and mobile apps using DOH/DOQ technologies that can bypass network configurations.
• Priority 2 — Device: Local network settings including encrypted options such as DOT and DOH.
• Priority 3 — Router: Traditional IPv4/IPv6 gateways implementing encryption technologies.

This hierarchy means Priority 1 supersedes Priority 2, which in turn supersedes Priority 3. For example, browser settings like Firefox's default Secure DNS can override router-level filters entirely.

Rethinking Content Filtering Strategies

Organizations deploying DNS-based filtering need to account for this hierarchy. A router-only approach may leave gaps that applications can exploit. To build a more comprehensive filtering strategy, consider the following:

• Deploy both network-level and device-level controls.
• Disable encrypted DNS in applications and browser extensions where possible.
• Manage VPN and proxy extensions that can bypass filters.
• Use CleanBrowsing's Proxy filter to block known DOH services.
• Block port 853 at the router level to target DOT connections.

By addressing filtering at multiple layers of the communication hierarchy, you can ensure that your content filtering strategy remains effective even as technologies evolve.