CleanBrowsing works at the network level, specifically via the Domain Name System (DNS).
Via DNS, we can intercept outgoing requests and make a determination if it should be accessible based on the rules created in your account.
- Do you allow social media? Should we allow Twitter?
- Do you allow adult / pornographic content? Should we allow pornhub?
- Do you block mixed content? Should we block reddit?
The power of working at the network level is it makes the service agnostic to any specific platform (e.g., Nintendo, TV, Desktop, Notebook, Linux, Mac, Windows, etc…). If a device connects to the network, it undoubtedly makes use of DNS.
The down-side of the network is we’re limited to the network, and cannot see what is happening at the device level. This will make more sense in a bit.
Public vs Private IP’s
Every network has a public and private IP. The public IP’s are issued by your Internet Service Provider (ISP), while the private IP is issued by the router on your network.
The illustration below shows you what this means:
In the illustration above we share these values for IP’s:
- Public IP: 220.127.116.11
- Public IP: 10.0.0.1, 10.0.0.2, etc…
Yes, every device has a unique IP, but that unique IP is issued by the Dynamic Host Configuration Protocol (DHCP) on your router, while the public IP is issued by the DHCP on the ISP’s router to your router.
The public IP is considered to be part of the Wide Area Network (WAN) while the private IP is part of the Local Area Network (LAN). The LAN is comprised of your desktops, notebooks, laptops, phones, printers, etc. The outside world can’t see them, hopefully, but you can from inside the network.
CleanBrowsing DNS and Public IPs
When using the free filters the toughest part of the job is updating DNS on the device. When you use our paid plans, things change. The platform doesn’t know where to apply the rules; it’s why public IP’s matter.
Every time you create a profile in your CleanBrowsing account you get issued a new set of shared DNS IP’s.
They look something like this:
- Primary DNS: 18.104.22.168
- Secondary DNS: 22.214.171.124
These IP’s are IPv4, and shared. That means other users are leveraging the same IP pair. No, this does not present a security issue. But it presents a problem in which we have to figure where to apply the rules. We do this by binding the DNS pair issued in a profile, to the public IP recorded in the account.
Building this relationship is a critical step. Without it, the system doesn’t know where to apply the rules.
In addition to the IPv4 values, we also issue IPv6 values. Because IPv6 is unique, it doesn’t require a public IP to be recorded. If you have the ability to deploy IPv6, and disable IPv4, we encourage that, but it’s highly unlikely to have a whole network that is only operating off of IPv6. It’s why this articles focuses on IPv4.
Public IP’s Can Be Dynamic
A public IP changing is the number 1 reason a service switches from “active” to “inactive”.
The big challenge with our approach is when public IP’s are updated, which happens. Because of the shortage on IPv4, public IP’s have a tendency to rotate public IP’s frequently. This is especially true on residential services, but can occur with commercial ones as well.
The two leading reasons include:
- The router is rebooted;
- The ISP dynamically does it at some set frequency (e.g., Daily, Annually, monthly);
An ISP can issue a static IP, but that might come with additional costs and has to be requested.
Because all devices share the same public IP on the same network, you only need to update the IP from one device and it will affect the entire network.
Alternatively, most routers employ a Dynamic Device option with a third-party (e.g., No-IP, DynDNS). We allow those services to be used in all paid accounts as well.
Public IP’s Don’t Always Matter
Public IP’s don’t always matter, and it really comes down to how CleanBrowsing is deployed on the network. Here are a few instances where the public IP no longer matters:
- The Free filters;
- DNS-over-HTTPS stamps;
- The iOS app;
- The android Private DNS option;
- The iOS / BigSur mobile config file;
The free filter by design applies rules to anyone that uses it, it’s why it doesn’t matter.
The other options mentioned make use of the latest in DNS encryption (e.g., DOH, DOT) to create unique stamps. These unique configurations allow us to know exactly where to apply specific rules without the public IP value.
What is my Public IP?
If you’re curious what your public IP is simply use our https://dnsleaktest.com/ site.
We hope this article helps, but if you have any further questions please leave them in the comments or send them to us via email at firstname.lastname@example.org.