How DNS Filtering Works

From DNS query to allow or block, step by step

DNS filtering works by routing every domain lookup through a filtering resolver. Before a website ever loads, the resolver checks the requested domain against a filter policy and returns either the site's real address or a block response. The diagram below shows the full path a single request takes.

Get Started

In short: a device asks a DNS resolver for the address of a domain. With DNS filtering, that resolver is a filtering resolver. It compares the domain against a policy of categories and custom lists, then either returns the real IP address so the site loads, or returns a block response so the site never connects. The decision happens in milliseconds, before any page content is downloaded.

How DNS filtering works A device sends a DNS query to the CleanBrowsing filtering resolver. The resolver checks the requested domain against its filter policy of categories and custom lists. If the domain is allowed, the resolver returns the real IP address and the website loads. If the domain is blocked, the resolver returns a block response and the website does not load. Your Device laptop, phone, TV 1. "example.com?" CleanBrowsing DNS Resolver 2. check policy Filter Policy categories + lists allowed blocked Allowed real IP returned the site loads Blocked block response returned the site does not load
The journey of a single DNS request through a filtering resolver.

Step 1: The device sends a DNS query

Every time a device opens a website, it first needs the site's IP address. It sends a DNS query, for example "what is the address for example.com", to whichever DNS resolver it is configured to use.

This happens for every domain, on every device, before any content loads, which is what makes DNS a natural control point for content filtering.

Step 2: A filtering resolver receives the query

DNS filtering works by pointing the device, or the whole network at the router, to a filtering resolver instead of the default resolver from the internet provider. The CleanBrowsing resolver receives the same query, but it does more than a plain lookup. Before answering, it evaluates the domain against a filter policy.

Step 3: The domain is checked against the policy

The filter policy is the set of rules tied to the profile making the request. It includes the content categories that are turned on, such as adult content, proxies, or malware, plus any custom block and allow lists. The resolver matches the requested domain against that policy to decide whether it should be served or stopped.

  • A custom allow entry always wins, so trusted sites stay reachable.
  • A custom block entry, or a domain that falls under an enabled category, is stopped.
  • Anything not matched is treated as normal traffic and returned as usual.

Step 4: The resolver returns allow or block

Based on that decision, the resolver returns one of two answers. For an allowed domain it returns the real IP address, the connection proceeds, and the site loads normally. For a blocked domain it returns a block response instead of the real address, so the browser never connects and the user sees a block page or a failed lookup.

  • It acts before content loads. The request is evaluated at lookup time, so blocked content is never downloaded.
  • No software required. Filtering happens by changing a network setting, with no agent on each device.
  • Every device is covered. Set at the router, it protects computers, phones, tablets, smart TVs, and more.
  • Encrypted options exist. Modern filtering supports encrypted DNS over DoH and DoT.

Step 5: DNS filtering with CleanBrowsing

CleanBrowsing is a DNS-based content filtering service used by families, schools, and businesses, processing over 355 billion requests a month across 70+ data centers.

It offers three free filters (Security, Adult, and Family) and paid plans with custom categories, allow and block lists, scheduling, and activity logs. For the broader background, see what is DNS filtering and how to prevent filter bypass.

Ready to try DNS filtering?

Set up in minutes and start protecting your network from harmful content, malware, and unwanted distractions.

Explore Our Free DNS Filters

Last updated: June 5, 2026