How to Change DNS on Your Router

The complete guide to configuring DNS filtering on any router. Covers IPv4, IPv6, encrypted DNS (DoH/DoT), brand-specific walkthroughs, verification, and troubleshooting — everything you need to protect every device on your network.

Step 1: Why Change DNS on Your Router?

Every time you visit a website, your device sends a DNS (Domain Name System) query to translate the domain name into an IP address. By default, these queries go to your Internet Service Provider's DNS servers — which offer no content filtering, limited privacy, and are often slower than third-party alternatives.

Changing the DNS on your router replaces the ISP defaults with a filtering DNS service like CleanBrowsing. This gives you:

  • Content filtering: Block adult content, malware domains, and phishing sites automatically.
  • Malware protection: Prevent devices from connecting to known malicious domains.
  • Privacy: Third-party DNS providers like CleanBrowsing do not log your browsing activity or sell your data.
  • Speed: Anycast DNS networks often resolve queries faster than ISP defaults.

The biggest advantage of configuring DNS at the router level is coverage: one configuration change protects every device on your network — laptops, phones, tablets, smart TVs, gaming consoles, IoT devices, and guest devices. There is no software to install and no per-device setup required.

For a detailed comparison of router-level vs. device-level DNS filtering, see our guide on Router vs Device Deployment.

Step 2: Before You Start

Find Your Router's Gateway IP

Your router's admin panel is accessed through a web browser using your gateway IP address. To find it:

On Mac/Linux, open Terminal and run:

netstat -nr | grep '^default'

On Windows, open Command Prompt and run:

ipconfig | findstr /i "Gateway"

Common gateway addresses include:

  • 192.168.1.1 (most TP-Link, Netgear, ASUS, Linksys routers)
  • 192.168.0.1 (some D-Link, Netgear, and ISP routers)
  • 10.0.0.1 (Comcast/Xfinity, Google Fiber, some enterprise setups)
Have Your Admin Credentials Ready

You will need the router's administrator username and password. If you have never changed these, check the sticker on the bottom of your router or consult the manufacturer's documentation. Common defaults are admin/admin or admin/password.

Choose Your CleanBrowsing Filter Level

CleanBrowsing offers three free DNS filters. Choose the one that matches your needs:

Filter Primary DNS Secondary DNS What It Blocks
Family Filter 185.228.168.168 185.228.169.168 Adult content, malware, phishing, mixed-content sites
Adult Filter 185.228.168.10 185.228.169.11 Adult content, malware, phishing
Security Filter 185.228.168.9 185.228.169.9 Malware and phishing only

For a full comparison of what each filter blocks, see our DNS Filters page.

Step 3: Configure DNS (Generic Steps)

These instructions work for most consumer and business routers:

  1. Log in to your router's admin panel by opening a browser and navigating to your gateway IP (e.g., http://192.168.1.1).
  2. Navigate to DNS settings. Look for a section labeled "WAN," "Internet," "Network Settings," or "DHCP." The DNS fields are usually found here.
  3. Change the DNS servers. Replace the existing DNS addresses (or switch from "Automatic" to "Manual") and enter your chosen CleanBrowsing filter IPs:
    • Primary DNS: 185.228.168.168
    • Secondary DNS: 185.228.169.168
  4. Save and apply. Click "Save," "Apply," or "OK" to confirm the changes.
  5. Reboot your router. While some routers apply DNS changes immediately, many cache previous DNS responses locally. Rebooting the router clears its internal DNS cache and ensures all new queries use the updated servers.

Paid customers: If you have a CleanBrowsing paid plan, use the DNS IPs shown in your dashboard instead of the free filter IPs above. You should also add your network's public IP address under "Your Network" in the dashboard to bind your filtering profile.

Step 4: Brand-Specific Quick Guides

Every router brand places DNS settings in a slightly different location. Here are quick walkthroughs for the six most popular brands:

TP-Link

Log in → AdvancedNetworkInternet → set DNS to Manual → enter CleanBrowsing IPs → Save.
Full TP-Link guide →

Netgear

Log in → BasicInternet → check "Use These DNS Servers" → enter CleanBrowsing IPs → Apply.
Full Netgear guide →

ASUS

Log in → Advanced SettingsWANInternet Connection → set DNS to Manual → enter CleanBrowsing IPs → Apply.
Full ASUS guide →

Linksys

Log in → ConnectivityInternet Settings → edit → enter CleanBrowsing IPs under Static DNS → Apply.
Full Linksys guide →

Ubiquiti / UniFi

UniFi Controller → SettingsNetworks → select WAN → DHCP Name Server → Manual → enter CleanBrowsing IPs → Apply.
Full Ubiquiti guide →

ISP Routers (AT&T, Comcast, Frontier, etc.)

Many ISP-provided routers lock the DNS fields. If you cannot edit DNS settings on your ISP router, you have two options: add your own router behind the ISP gateway, or configure DNS on each device individually. See our guide on routers that don't allow DNS changes for detailed workarounds.

Browse all 49+ router guides →

Step 5: Configure IPv6 DNS

If your network uses IPv6 (most modern networks do), you should also configure IPv6 DNS servers. Without this step, IPv6-capable devices may bypass your IPv4 DNS settings entirely by resolving queries over IPv6 using your ISP's default servers.

CleanBrowsing's IPv6 DNS addresses (Family Filter):

  • Primary IPv6 DNS: 2a0d:2a00:1::
  • Secondary IPv6 DNS: 2a0d:2a00:2::

Where to find IPv6 DNS settings: On most routers, IPv6 DNS settings are on the same page as IPv4 DNS settings. Some routers have a separate "IPv6" tab or section. Look under WAN, Internet, or Network settings.

Alternative — disable IPv6: If your router does not support IPv6 DNS configuration, or if you want to eliminate the possibility of IPv6 DNS bypass entirely, you can disable IPv6 on the router's WAN settings. This forces all traffic through IPv4 where your CleanBrowsing DNS is active. Note that disabling IPv6 may slightly reduce performance on networks that rely heavily on IPv6 routing.

Step 6: Encrypted DNS (DoH/DoT)

Standard DNS queries are sent in plain text, which means your ISP (or anyone on the network) can see and potentially intercept them. Encrypted DNS solves this by wrapping queries in TLS encryption. There are two protocols:

  • DNS over HTTPS (DoH): Sends DNS queries over HTTPS on port 443. Blends with normal web traffic, making it harder to block.
  • DNS over TLS (DoT): Sends DNS queries over TLS on a dedicated port (853). Easier for network admins to manage and monitor.
Router Support

Not all routers support encrypted DNS natively. Routers that do include:

  • ASUS (Merlin firmware): Full DoT support built-in. See our ASUS Merlin guide.
  • Newer TP-Link models: Some Archer and Deco models support DoT in recent firmware.
  • UniFi Dream Machine: Supports custom DNS with DoT via CLI.
  • pfSense / OPNsense: Full DoT/DoH support via Unbound DNS resolver.
CleanBrowsing Encrypted DNS Endpoints
Protocol Family Filter Endpoint
DoH https://doh.cleanbrowsing.org/doh/family-filter/
DoT family-filter-dns.cleanbrowsing.org

For a deeper explanation of how these protocols work, see our guides on What is DNS over HTTPS (DoH) and What is DNS over TLS (DoT). You can also browse all available endpoints on our Encrypted DNS page.

Step 7: Verify Configuration

After configuring DNS on your router, verify that the changes are working correctly.

Quick Test

Visit badexample.com in your browser. If the filter is active, you should see a block page or a "domain not found" error.

DNS Query Test

On Windows (Command Prompt):

nslookup -q=TXT debug.test.cleanbrowsing.org

On Mac/Linux (Terminal):

dig TXT debug.test.cleanbrowsing.org

The response will confirm which CleanBrowsing filter is active and whether your queries are reaching our servers.

DNS Leak Test

Visit our DNS Leak Test and run a test. The results should show CleanBrowsing's servers (look for IPs in the 185.228.168.x range). If you see your ISP's DNS servers instead, the configuration has not taken effect yet.

Reboot Your Router

If the test still shows your old DNS servers, reboot your router. Many routers cache DNS responses internally, and a reboot clears this cache so all new queries go through the updated DNS servers.

Flush Local DNS Cache

After rebooting the router, you should also flush the DNS cache on your computers and devices to clear any locally cached old DNS records:

Windows (run as Administrator):

ipconfig /flushdns

macOS:

sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

Linux:

sudo systemd-resolve --flush-caches

Chrome browser (if Chrome has its own DNS cache):

Navigate to chrome://net-internals/#dns and click "Clear host cache."

Allow 5–10 minutes for DHCP changes to propagate to all devices on your network. Reconnecting devices to WiFi (toggle WiFi off/on) will speed this up.

For a comprehensive verification walkthrough, see our Verify DNS Configuration guide.

Step 8: Lock Down & Troubleshoot

Changing DNS on the router is a strong first step, but tech-savvy users (or apps) can override router DNS by hardcoding their own DNS servers. Here is how to prevent that and troubleshoot common issues.

Lock DNS with Firewall Rules

To prevent any device from using a different DNS server, create a firewall rule on your router that blocks all outbound traffic on port 53 (DNS) except to CleanBrowsing's IP addresses. Alternatively, use a DNAT (destination NAT) rule to transparently redirect all DNS traffic to CleanBrowsing. See our How to Lock DNS Settings guide for step-by-step instructions.

ISP-Locked Routers

If your ISP router does not allow DNS changes (common with AT&T, Comcast/Xfinity, some Frontier routers), your options are:

  • Add your own router: Connect a personal router (TP-Link, ASUS, etc.) behind the ISP gateway. Set the ISP device to bridge mode or DMZ, and configure DNS on your own router.
  • Per-device DNS: Configure DNS on each device individually instead of at the router level.

Full details: Router Doesn't Allow DNS Changes.

Services That Conflict with DNS Filtering

Some ISP and security services override your DNS settings, causing filters to stop working:

  • Comcast xFi Advanced Security: Overrides custom DNS. Disable in the Xfinity app under "xFi Advanced Security."
  • Avast/AVG Secure DNS: Overrides system DNS. Disable in Avast settings under "Core Shields."
  • AT&T ActiveArmor: May interfere with custom DNS settings on AT&T gateways.
  • Eero Secure: Eero's built-in filtering uses its own DNS. Disable Eero Secure to use CleanBrowsing.
  • T-Mobile Home Internet: Some T-Mobile gateways intercept DNS traffic.

See our full guide on Services That Conflict with DNS Filtering.

Apps Bypassing Router DNS

Some browsers and apps use their own DNS resolution (DNS over HTTPS) to bypass router-level filtering:

  • Firefox: Type about:config in the address bar, search for network.trr.mode, and set it to 5 (disabled).
  • Chrome: Go to Settings → Privacy and Security → Security → disable "Use secure DNS."

For a comprehensive overview of bypass techniques and how to prevent them, see How to Prevent Filter Bypass.

Frequently Asked Questions

Yes, changing DNS on your router is completely safe and reversible. DNS simply controls which server translates domain names into IP addresses. If anything goes wrong, you can revert to your ISP's default DNS by setting the DNS fields back to "Automatic" or entering your ISP's DNS addresses. CleanBrowsing's DNS servers are reliable, globally distributed, and maintained with 99.99% uptime.

It can. Many ISP DNS servers are slower than third-party options. CleanBrowsing uses anycast routing to direct your queries to the nearest server, which often results in faster DNS resolution times. However, DNS only affects the lookup phase — once a connection is established, your download speed depends on your ISP and plan. The real benefit of switching DNS is the added filtering and security, not raw speed.

Yes, any device that uses DHCP (which is the default for almost all consumer devices) will automatically inherit the router's DNS settings. This includes phones, tablets, laptops, smart TVs, gaming consoles, IoT devices, and guest devices. The only exception is devices that have been manually configured with a different DNS server — which is why locking DNS via firewall rules (Step 8) is recommended for full enforcement.

If you enter an invalid or unreachable DNS address, your devices will be unable to resolve domain names, making it seem like the internet is "down" even though the connection is active. The fix is simple: log back into your router and correct the DNS addresses, or set DNS back to "Automatic." This is why a secondary DNS server is important — if the primary is unreachable, the secondary provides a fallback.

Some ISP-provided routers lock the DNS settings to prevent customers from changing them. This is common with AT&T, Comcast/Xfinity, and some fiber providers. Workarounds include connecting your own router behind the ISP gateway, using bridge mode on the ISP device, or configuring DNS on each device individually. See our full guide on routers that don't allow DNS changes.

It is strongly recommended. While some routers apply DNS changes immediately, many routers cache previous DNS responses internally. A reboot clears the router's DNS cache and ensures all new queries use the updated servers. You should also flush the DNS cache on your computers and devices (see Step 7 for commands) to clear any locally cached records.

Router-level DNS applies to all devices automatically with a single configuration change. Device-level DNS only applies to that specific device and must be configured individually. Router DNS is easier to manage and covers IoT and guest devices, but device-level DNS travels with the device when it leaves your network. For maximum protection, use both. See our Router vs Device Deployment guide for a full comparison.

It depends on your needs. The Family Filter is the strictest — it blocks adult content, malware, phishing, and mixed-content sites (like Reddit and Tumblr). The Adult Filter blocks pornography, malware, and phishing but allows mixed-content sites. The Security Filter only blocks malware and phishing without any content filtering. For households with children, the Family Filter is recommended. For businesses, the Security or Adult filter is typically more appropriate. See our Filters page for full details.

With standard (unencrypted) DNS, your ISP can see that your DNS queries are going to a different server, but they cannot see the content of the responses. If you use encrypted DNS (DoH or DoT, covered in Step 6), your ISP cannot see the DNS queries at all — they are encrypted in transit. Regardless of DNS settings, your ISP can still see the IP addresses you connect to (unless you use a VPN), but they cannot determine which specific pages you visit.

Log into your router's admin panel, navigate to the DNS settings (same location where you made the changes), and either set the DNS fields back to "Automatic" (so the router uses your ISP's defaults) or enter your ISP's specific DNS addresses. Save the changes and reboot the router. Within a few minutes, all devices will revert to your ISP's DNS servers.

Related Guides

All Router Guides

Browse 49+ brand-specific router DNS configuration guides.

View Guides
Verify DNS Configuration

Confirm your DNS is working correctly with step-by-step verification tests.

View Guide
Router Doesn't Allow DNS Changes

Workarounds for ISP routers that lock DNS settings.

View Guide
Lock Down DNS Settings

Use firewall rules and DNAT to prevent DNS bypass on your network.

View Guide
Services That Conflict

ISP and security services that override your custom DNS settings.

View Guide
Setup Guide

Complete CleanBrowsing setup guide for all platforms and devices.

View Guide

Ready to protect your network?

Start with our free DNS filters or upgrade to a paid plan for custom filtering, usage analytics, and multiple profiles.

Explore Plans