A common question we get from customers is how to prevent a new device on the network from bypassing the CleanBrowsing DNS.
Every device, whether it’s a mobile device, laptop, desktop, server, or gaming platform, gives a user the ability to configure a local network configuration. Part of this configuration includes the ability to reset their DNS settings. Yes, depending on how your router is configured this configuration would allow the user to change the networks default DNS configuration.
How to Prevent DNS Bypass
If you own the network, and or assets on the network, you can introduce new controls that will help mitigate this type of bypass.
The main control is at the router, where you can leverage the routers firewall to restrict all traffic on the router to go to a specific port (53) using specific DNS IPs. This can also be done locally on each machine on the network, but would require setting up local permissions on the machine to disallow unauthorized users from making changes.
Example of what this might look like on you router, or local machine, using the Free DNS resolvers (Family Filter):
ALLOW TCP/UDP IN/OUT to 185.228.168.0/23 on Port 53
And
BLOCK TCP/UDP IN/OUT all IP addresses on Port 53
What this is doing is ensuring that a) DNS requests must use Port 53 on the router and b) only allows DNS queries to those DNS resolvers.
The trick will be navigating your router configurations page and deploying this on the firewall on that device. The key is to apply this on the device closest to the edge of your network (edge meaning the thing closet to connecting your home to the outside world.