1. Home
  2. Why Some Apps Bypass DNS Filtering and How to Handle It
Searching...

Why Some Apps Bypass DNS Filtering and How to Handle It

Contents

When you configure CleanBrowsing on your device or network, most apps and browsers will respect the DNS rules and filtering you’ve put in place. However, you may notice certain apps still work even when you expect them to be blocked. This isn’t a failure of CleanBrowsing — it’s a limitation of how some apps are designed.

Below, we’ll explain why this happens, what you can try immediately, and long-term solutions to keep app traffic under control.

Why Apps Might Bypass Filtering

  1. Hardcoded DNS Values
    Some developers bypass the device’s DNS configuration entirely. Instead of using the system DNS (where you’ve set CleanBrowsing), they program their apps to connect directly to specific DNS resolvers such as Google (8.8.8.8 / 8.8.4.4), Cloudflare (1.1.1.1), or Quad9 (9.9.9.9).
    • Result: The app never touches CleanBrowsing DNS, so filtering doesn’t apply.
  2. Encrypted DNS (DoH/DoT)
    Modern devices, especially iOS and newer Android versions, support DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT). Some apps ship with their own encrypted DNS configuration.
    • Example: A browser like Firefox may default to Cloudflare DoH instead of system DNS.
    • Result: The app establishes a secure channel directly to another DNS provider, bypassing your filters.
  3. Local Caching
    Apps and operating systems cache DNS lookups. Even after you change DNS settings, cached results may allow continued access for hours or days until the cache expires.
    • Result: It looks like filtering “isn’t working” when it’s actually just cached data.

Things You Can Try Right Away

  • Restart the App or Device
    Closing the app completely or rebooting the device forces a DNS refresh.
  • Clear App Cache (if supported)
    Some apps let you clear stored data, which may include cached DNS lookups.
  • Test with a Browser
    Try accessing the same content in Safari/Chrome. If filtering works in the browser but not the app, you know the issue is app-specific.

Longer-Term Solutions

If you want consistent, reliable filtering, especially for kids’ devices or shared family devices, consider these stronger approaches:

1. Remove the Problematic App

If an app refuses to respect DNS configurations, the simplest and most reliable solution is to uninstall it.

2. Prevent Reinstalls and Settings Changes

Filtering only works if users can’t undo it. On managed or child devices, use built-in tools to lock down changes:

  • iOS / iPadOS:
    • Enable Screen Time restrictions.
    • Block App Store installs or restrict apps by age rating.
    • Prevent installation of VPN profiles that may override DNS.
  • Android:
    • Use Google Family Link to restrict app downloads.
    • Use MDM (Mobile Device Management) if managing organizational devices.

3. Block Hardcoded DNS on the Network

On your router or firewall, create outbound rules that block known public DNS IPs such On your router or firewall, create outbound rules that block known public DNS IPs. This ensures all devices must use CleanBrowsing DNS. If someone tries to override DNS, their requests will simply fail.

Firewall Rule Examples

Below are common public DNS providers you may want to block to ensure CleanBrowsing filtering remains effective:

ProviderIPv4 AddressesIPv6 AddressesPorts to Block
Google8.8.8.8, 8.8.4.42001:4860:4860::8888, 2001:4860:4860::884453, 853, 443
Cloudflare1.1.1.1, 1.0.0.12606:4700:4700::1111, 2606:4700:4700::100153, 853, 443
Quad99.9.9.9, 149.112.112.1122620:fe::fe, 2620:fe::953, 853, 443
OpenDNS208.67.222.222, 208.67.220.2202620:119:35::35, 2620:119:53::5353, 853, 443
  • Port 53 (DNS): Regular DNS requests.
  • Port 853 (DoT): DNS-over-TLS.
  • Port 443 (DoH): DNS-over-HTTPS (uses HTTPS traffic).

⚠️ Note: Blocking port 443 globally will break normal HTTPS browsing. If your firewall supports SNI filtering or application control, block only known DoH endpoints instead of all HTTPS.

4. Control Encrypted DNS

Encrypted DNS (DoH/DoT) is one of the biggest reasons apps can bypass DNS filters. By encrypting DNS traffic, apps send their requests directly to third-party resolvers (like Google, Cloudflare, or Quad9) without going through the system DNS you’ve configured with CleanBrowsing. While encryption itself is good for privacy, it undermines filtering unless you control it.

Here’s how you can handle it:

On iOS Devices

  • Private DNS Profiles / Encrypted DNS in Apps:
    Some apps (e.g., Firefox, Chrome) allow their own DNS-over-HTTPS (DoH) configuration. Others may rely on iOS profiles to install custom DNS settings.
  • What to Do:
    1. Go to Settings > VPN & Device Management and check for installed profiles. Remove any that override DNS with providers like Cloudflare or Google.
    2. In apps like Firefox or Chrome, go into Settings > Privacy & Security and make sure Secure DNS/DoH is turned off (or pointed to CleanBrowsing).
    3. Use Screen Time to prevent children or end-users from installing new profiles or browsers that enable DoH.

On Android Devices

  • Private DNS Mode:
    Android supports DNS-over-TLS (DoT) system-wide under Private DNS.
  • What to Do:
    1. Go to Settings > Network & Internet > Private DNS.
    2. Options you’ll see:
      • Off: No encrypted DNS (device uses CleanBrowsing system DNS).
      • Automatic: Device may use a provider that supports DoT (not recommended).
      • Private DNS provider hostname: Enter a hostname to force DoT to a specific provider.
    3. To keep filtering:
      • Either set this to Off (forces normal DNS which follows your system settings).
      • Or set the provider hostname to CleanBrowsing DoT: 
security-filter-dns.cleanbrowsing.org
family-filter-dns.cleanbrowsing.org
adult-filter-dns.cleanbrowsing.org

On Networks (Routers / Firewalls)

Apps may hardcode DoH endpoints (like dns.google or cloudflare-dns.com) and send DNS requests over port 443 (HTTPS). Since this traffic looks like normal HTTPS, you need targeted blocking.

What you can do:

  1. Block Known DoH Hostnames/Domains
    Create firewall or DNS rules to block these common DoH providers:
    • dns.google
    • cloudflare-dns.com
    • mozilla.cloudflare-dns.com
    • dns.quad9.net
    • doh.opendns.com
    • doh.cleanbrowsing.org (only block if you don’t want encrypted DNS at all)
  2. Block DoH/DoT Ports Globally (Advanced)
    • Block outbound port 853 (DNS-over-TLS).Block outbound HTTPS requests to known DoH IPs/domains.
    ⚠️ Do not block port 443 globally, or you’ll break all HTTPS websites. Always target specific DoH endpoints instead.
  3. Redirect DNS Traffic
    On some firewalls (pfSense, MikroTik, UniFi), you can capture all outbound DNS requests and redirect them to CleanBrowsing resolvers. This forces devices to comply, even if they try to use DoH/DoT.

DNS filtering works best when the device respects the DNS settings. Apps that bypass filtering are doing so by design, and the only foolproof way to address this is through:

  • Removing the app
  • Enforcing device-level restrictions (Screen Time, Family Link, or MDM)
  • Blocking alternative DNS at the network level

With these steps, you can make sure CleanBrowsing filtering remains effective across all apps and devices.

Updated on September 29, 2025
Was this article helpful?
Yes No