DNS Filtering: Router vs Device — Which is Better?

Configuring DNS filtering at the router is the recommended starting point for most users. When you change the DNS settings on your router, every device that connects to your network automatically uses your chosen filtering resolver. There is no need to configure each device individually — laptops, phones, tablets, smart TVs, gaming consoles, and IoT devices are all protected the moment they connect.

This "set it and forget it" approach is what makes router deployment so appealing. One configuration change on one device protects your entire network. For families, this means every device a child uses at home is filtered, even devices you might not think about — smart TVs with built-in browsers, gaming consoles with web access, and IoT devices that could be exploited. For schools and libraries, router deployment provides network-wide compliance with content policies. For businesses, it ensures consistent filtering across all connected devices without requiring endpoint software.

Router deployment is especially effective when combined with DNS locking — firewall rules that prevent individual devices from overriding the router's DNS settings. Without DNS locking, a user can simply change their device's DNS to a non-filtering resolver like 8.8.8.8 and bypass the filter. With DNS locking in place, the router intercepts or blocks these unauthorized DNS queries, making the filter much harder to circumvent.

The primary limitation of router-level filtering is that it only applies while devices are connected to your network. The moment a child's phone connects to a different WiFi network, a cellular data connection, or a friend's hotspot, the router's DNS filter no longer applies. This is where device-level deployment becomes important.

Device-level DNS filtering involves configuring DNS settings directly on individual devices — smartphones, tablets, laptops, and Chromebooks. Unlike router deployment, which only protects devices while they are on your network, device-level configuration follows the device wherever it goes. Whether a child is at home, at school, at a friend's house, or on a cellular data connection, the DNS filter remains active.

This portability makes device deployment ideal for several scenarios:

• Children's mobile devices: Phones and tablets that leave the house regularly need protection that travels with them. A router filter does nothing when the child is on school WiFi or cellular data.
• Company-issued laptops: Remote workers use their laptops on home networks, coffee shop WiFi, hotel networks, and other uncontrolled environments. Device-level DNS filtering ensures consistent policy regardless of the network.
• School Chromebooks: Many schools issue Chromebooks to students for home use. Device-level DNS configuration ensures filtering continues outside the school's network.
• BYOD environments: In workplaces that allow employees to bring their own devices, device-level DNS can be deployed through mobile device management (MDM) profiles.

The trade-off with device deployment is that the settings can potentially be changed or removed by users with admin access to the device. On unmanaged personal devices, a tech-savvy user can revert the DNS settings in a matter of seconds. On managed devices (those enrolled in an MDM platform like Jamf, Intune, or Google Workspace), DNS settings can be enforced through policies that users cannot override. The level of protection depends heavily on how much control you have over the device.

Device-level DNS configuration is also more labor-intensive than router deployment. Each device must be configured individually, and if you have a large number of devices, this can be time-consuming. MDM platforms can automate this process, but setting up MDM is itself a non-trivial undertaking for smaller organizations.

The following table summarizes the key differences between router-level and device-level DNS filtering. Use it to determine which approach — or combination of approaches — best fits your situation.

Feature	Router Deployment	Device Deployment
Coverage	All devices on the network	Single device only
Off-network protection	No — only when connected to the configured network	Yes — protection follows the device
IoT device coverage	Yes — smart TVs, consoles, IoT devices are covered	No — most IoT devices cannot be individually configured
Setup effort	One-time configuration on the router	Per-device configuration required
User can bypass	No — if DNS is locked with firewall rules	Possibly — if user has admin/device-owner access
Best for	Home networks, offices, schools	Mobile devices, remote workers, BYOD
Requires special router	Router must allow custom DNS settings	No router requirements
Cellular data coverage	No — cellular connections bypass the router	Yes — DNS settings apply on cellular too

As the table shows, neither approach is universally superior. Router deployment excels at blanket network coverage with minimal effort, while device deployment provides portable protection that works everywhere. The limitations of each approach are addressed by the other, which is why the recommended strategy uses both.

The most effective DNS filtering strategy combines router-level and device-level deployment. This layered approach ensures that devices are always filtered regardless of which network they are connected to, while also covering IoT devices and other equipment that cannot be individually configured.

Here is how to implement a combined deployment:

• Step one — Router: Configure your home or office router to use CleanBrowsing as its DNS resolver (185.228.168.168 and 185.228.169.168). This immediately protects all network-connected devices. If your router supports firewall rules, lock the DNS settings to prevent local overrides.
• Step two — Devices: On phones, tablets, and laptops that leave the network, configure DNS at the device level as well. This ensures filtering continues when the device connects to other WiFi networks or cellular data.
• Step three — Profiles: CleanBrowsing's paid plans support user profiles that allow you to apply different filtering rules to different devices or device groups. For example, you might use a strict "Family" filter for children's devices and a lighter "Adult" filter for parents' devices — all managed from the same CleanBrowsing dashboard.

This combined approach covers the widest range of scenarios. At home, the router filter protects everything — including smart TVs, gaming consoles, and guest devices. Away from home, device-level DNS ensures that phones and laptops remain filtered on school WiFi, coffee shop networks, and cellular connections. The two layers complement each other, and when combined with bypass prevention techniques, they provide a robust filtering solution that is difficult to circumvent.

If you are just getting started with DNS filtering, begin with router deployment — it provides the most coverage for the least effort. Then add device-level configuration to the devices that matter most, typically children's phones and tablets. You can expand from there as needed.