Quick-reference definitions for DNS filtering, content filtering, and internet safety terms. Each term links to an in-depth article where one exists.
A DNS record that maps a domain name to an IPv4 address. When you type a website name, the A record tells your device which server to connect to.
Learn more →A DNS record that maps a domain name to an IPv6 address — the newer, longer version of an IP address.
Learn more →A Microsoft directory service used by organizations to manage users, computers, and policies. CleanBrowsing can integrate with AD for DNS-level filtering across managed networks.
Learn more →Preventing advertisements from loading on web pages. DNS-based ad blocking works by refusing to resolve the domain names of known ad servers.
A list of domains explicitly permitted to bypass filtering rules. Also called a whitelist. Used to ensure critical services are never blocked.
A network routing method where the same IP address is announced from multiple global locations, directing users to the nearest server for faster DNS resolution.
Learn more →Application Programming Interface — a way for software to interact with CleanBrowsing programmatically, such as managing IPs, domains, and filter profiles.
Learn more →A list of domains that are denied resolution by a DNS filter, preventing users from accessing those sites. Also called a blacklist or denylist.
The web page displayed when a user tries to visit a site blocked by DNS filtering. It explains why access was denied and may offer options to request access.
A network of compromised devices controlled by an attacker, often used for DDoS attacks, spam, or data theft. DNS filtering can block communication with botnet command servers.
Learn more →Any method used to circumvent DNS filtering — such as VPNs, alternate DNS servers, or encrypted tunnels. Preventing bypass is critical for effective filtering.
Learn more →Blocking or allowing websites based on their content category (e.g., adult, gambling, social media) rather than individual URLs. CleanBrowsing offers 21+ content categories.
Learn more →CleanBrowsing's proprietary domain categorization engine that classifies websites into content categories for filtering decisions.
Learn more →Carrier-Grade NAT — a technique ISPs use to share a single public IP among many customers. CGNAT can complicate DNS filtering because multiple users share the same source IP.
Learn more →Children's Internet Protection Act — a U.S. federal law requiring schools and libraries receiving E-Rate funding to filter internet access. CleanBrowsing provides CIPA-compliant filtering.
Learn more →The practice of restricting access to web content based on category, keyword, or other criteria. DNS-based content filtering works by blocking domain resolution rather than inspecting page content.
Learn more →A DNS record that aliases one domain name to another. Often used for subdomains or CDN integration.
Learn more →Distributed Denial of Service — an attack that floods a target with traffic from many sources to overwhelm it and cause downtime.
Learn more →Another term for blocklist — a list of domains blocked by a DNS filter.
Dynamic Host Configuration Protocol — automatically assigns IP addresses and DNS server settings to devices on a network. Changing DHCP DNS settings is the easiest way to deploy CleanBrowsing on a router.
Learn more →Domain Name System — the internet's directory that translates domain names (like cleanbrowsing.org) into IP addresses. DNS filtering works by intercepting this translation step.
Learn more →A temporary store of recent DNS lookups on your device, browser, or router. Stale cache entries can cause filtering changes to take effect slowly.
Learn more →Blocking access to websites by refusing to resolve their domain names to IP addresses. Unlike URL or proxy filtering, DNS filtering works at the network level with no software installation required.
Learn more →A protective DNS service that blocks queries to known malicious domains — malware, phishing, botnets, and ransomware command-and-control servers.
Learn more →An attack where DNS queries are redirected to a malicious server, sending users to fake or harmful websites without their knowledge.
When DNS queries bypass your configured DNS provider (e.g., through a VPN or misconfigured network), exposing your browsing activity to unintended resolvers.
Learn more →An attack that inserts forged DNS records into a resolver's cache, redirecting users to malicious sites. Also called DNS cache poisoning.
Learn more →A configuration file (e.g., Apple .mobileconfig) that sets DNS server addresses and encryption settings on a device, ensuring filtering is applied consistently.
Learn more →A server that receives DNS queries from devices and returns the corresponding IP addresses. CleanBrowsing operates as a filtering DNS resolver.
Learn more →DNS Security Extensions — cryptographic signatures added to DNS records to verify authenticity and protect against spoofing and cache poisoning.
A protocol that encrypts DNS traffic between your device and the DNS resolver, preventing eavesdropping and tampering.
Learn more →DNS over HTTPS — encrypts DNS queries inside HTTPS connections. While it protects privacy, browser-level DoH can bypass network-level DNS filtering if not managed.
Learn more →DNS over TLS — encrypts DNS queries using TLS on port 853. Supported natively on Android 9+ as "Private DNS."
Learn more →An IP address assigned by your ISP that changes periodically. CleanBrowsing supports dynamic IP updates via API or scheduled scripts to maintain filtering.
Learn more →A U.S. federal program that provides discounts on telecommunications and internet for eligible schools and libraries. E-Rate recipients must comply with CIPA filtering requirements.
Learn more →Encrypted Client Hello — a TLS extension that encrypts the SNI (server name) during the TLS handshake, making it harder for network filters to identify which site is being accessed.
Learn more →DNS queries protected by encryption (DoH, DoT, or DNSCrypt) so they cannot be read or tampered with in transit. CleanBrowsing supports all three protocols.
Learn more →CleanBrowsing's strictest free DNS filter (185.228.168.168). Blocks adult content, enforces SafeSearch, and blocks VPN/proxy domains.
Learn more →A named configuration in CleanBrowsing that defines which content categories are blocked, which domains are allowed/denied, and other filtering rules. Paid plans support multiple profiles.
A network rule that controls traffic flow. Router firewall rules can redirect all DNS traffic (port 53) to CleanBrowsing to prevent bypass.
Learn more →A UK certification program for public WiFi providers that ensures appropriate content filtering is in place. CleanBrowsing is a Friendly WiFi certified provider.
Learn more →A Windows Active Directory feature that lets administrators push settings (including DNS and browser configurations) to managed devices across an organization.
Learn more →A separate wireless network provided for visitors. DNS filtering on guest WiFi ensures appropriate content access without complex proxy setups.
HyperText Transfer Protocol Secure — the encrypted version of HTTP. HTTPS encrypts page content but the DNS lookup that starts each connection can still be filtered.
Microsoft Intune — a cloud-based endpoint management tool. CleanBrowsing can be deployed on Windows fleets via Intune OMA-URI policies.
Learn more →A numerical label (e.g., 185.228.168.168) assigned to each device on a network. DNS filtering maps your public IP to a filter profile.
Internet Protocol version 4 — uses 32-bit addresses (e.g., 185.228.168.168). CleanBrowsing's free resolvers use IPv4 addresses.
Internet Protocol version 6 — uses 128-bit addresses (e.g., 2a0d:2a00:1::). CleanBrowsing supports IPv6 DNS resolvers alongside IPv4.
The time delay between sending a DNS query and receiving a response. CleanBrowsing's anycast network minimizes latency by routing queries to the nearest data center.
A record of DNS queries processed by the filtering service, showing which domains were requested and whether they were allowed or blocked. Used for monitoring, compliance, and troubleshooting.
Learn more →Malicious software (viruses, ransomware, trojans, spyware) that can infect devices. DNS filtering blocks connections to known malware distribution and command-and-control domains.
Learn more →Mobile Device Management — software used to manage, configure, and secure mobile devices. CleanBrowsing integrates with MDM solutions like Mosyle and Intune for enterprise DNS deployment.
Learn more →An Apple configuration profile file format (.mobileconfig) that can set DNS servers, encryption settings, and other preferences on iOS, iPadOS, and macOS devices.
Learn more →An Apple-focused MDM platform. CleanBrowsing provides Mosyle integration guides for deploying DNS-over-TLS and DNS-over-HTTPS filtering across managed Apple fleets.
Learn more →Managed Service Provider — an IT company that manages networks for multiple clients. CleanBrowsing offers multi-tenant management tools for MSPs.
Learn more →A DNS Mail Exchange record that specifies which mail servers handle email for a domain.
Network Address Translation — a router function that maps private internal IPs to a single public IP. NAT is transparent to DNS filtering, which uses the public IP for profile matching.
A DNS server responsible for answering queries about a domain. CleanBrowsing operates authoritative and recursive nameservers across 70+ global locations.
Applying content filtering at the network (router/DNS) level so all connected devices are protected without installing software on each one.
Learn more →A DNS response indicating that the queried domain does not exist. DNS filters may return NXDOMAIN for blocked domains to prevent any connection attempt.
Open Mobile Alliance Uniform Resource Identifier — a policy format used by Microsoft Intune to push custom settings (like DNS configuration) to managed Windows devices.
Learn more →A DNS-based filtering service owned by Cisco. CleanBrowsing is a popular alternative offering encrypted DNS, simpler pricing, and more granular category controls.
Learn more →Tools and settings that help parents restrict what content children can access online. DNS filtering is one of the most effective parental control methods because it works across all devices on a network.
Learn more →A social engineering attack that tricks users into revealing sensitive information via fake websites or emails. DNS filtering blocks known phishing domains before the page can load.
Learn more →The standard network port for unencrypted DNS traffic (UDP and TCP). Firewall rules that redirect port 53 traffic prevent DNS bypass.
Learn more →Android's built-in DNS-over-TLS feature (Android 9+). Setting Private DNS to CleanBrowsing's DoT hostname enables encrypted filtering on mobile devices.
Learn more →A DNS service that actively blocks queries to malicious domains — malware, phishing, ransomware C2, and botnets. Also called DNS Firewall.
Learn more →An intermediary server that forwards requests between a client and destination. Web proxies can be used to bypass DNS filtering by routing traffic through an unfiltered server.
Learn more →The external IP address assigned to your network by your ISP. CleanBrowsing uses your public IP to identify your account and apply the correct filter profile.
Learn more →Malware that encrypts a victim's files and demands payment for the decryption key. DNS filtering can block connections to ransomware command-and-control servers.
Learn more →A DNS server that resolves domain names by querying other DNS servers on your behalf. CleanBrowsing operates recursive resolvers that apply filtering rules during resolution.
Learn more →Response Policy Zone — a DNS mechanism that allows administrators to override DNS responses for specific domains. CleanBrowsing offers an RPZ feed for organizations running their own DNS resolvers.
Learn more →A feature in search engines (Google, Bing, DuckDuckGo) that filters explicit content from search results. CleanBrowsing can enforce SafeSearch at the DNS level so users cannot disable it.
Learn more →CleanBrowsing's free DNS filter (185.228.168.9) focused on blocking malware, phishing, and botnets without restricting content categories.
Learn more →Server Name Indication — a TLS extension that sends the requested hostname in plaintext during the handshake. SNI inspection is used by some filters, but ECH encrypts this field.
An IP address that doesn't change. Static IPs simplify DNS filtering setup because the filter profile is always matched to the same address.
A range of IP addresses within a network. CleanBrowsing supports bulk subnet uploads for large deployments.
Learn more →Top-Level Domain — the last part of a domain name (.com, .org, .edu). Some TLDs are associated with higher risk content and can be filtered as a category.
Transport Layer Security — the encryption protocol that secures HTTPS and DNS-over-TLS connections.
A log management tool from CleanBrowsing that provides extended data retention and analytics for DNS query logs beyond the standard retention period.
Learn more →Time to Live — the number of seconds a DNS record is cached before being re-queried. Lower TTLs mean filtering changes take effect faster; higher TTLs reduce query volume.
A DNS record that holds text data, commonly used for domain verification, SPF email authentication, and other metadata.
A one-to-one network communication model where traffic goes to a single destination. Contrast with anycast, where the same IP routes to the nearest of many servers.
Learn more →Blocking access based on the full URL path (not just the domain). URL filtering requires a proxy or agent; DNS filtering works at the domain level only.
Learn more →Virtual Private Network — an encrypted tunnel that routes traffic through a remote server, bypassing local DNS filtering. Blocking VPN domains is essential for maintaining filter integrity.
Learn more →Using a VPN to circumvent DNS filtering by tunneling DNS queries through an encrypted connection to an unfiltered resolver.
Learn more →See Allowlist — a list of domains explicitly permitted through the filter regardless of category. Used to unblock false positives or essential services.
A strict filtering mode where only explicitly approved domains are accessible and everything else is blocked. Used in high-security or testing environments.
Learn more →A YouTube setting that hides potentially mature content. CleanBrowsing can enforce YouTube Restricted Mode at the DNS level alongside SafeSearch.
Learn more →We're always expanding this glossary. If there's a term you'd like defined, let us know at support@cleanbrowsing.org.