How to Lock DNS Settings and Force DNS on Your Network

When you configure DNS filtering on your router, all devices on your network use your chosen DNS resolver — such as CleanBrowsing — to look up domain names. This is what makes content filtering work. However, any user with access to their device's network settings can manually change the DNS server to a non-filtering resolver like Google (8.8.8.8) or Cloudflare (1.1.1.1), instantly bypassing your content filter.

This is not a hypothetical concern. It is one of the most common methods of filter bypass, and it requires no technical expertise. On most operating systems, changing DNS settings takes less than a minute and can be done by following a simple online tutorial. Children, students, and employees who want to access blocked content will find these tutorials quickly.

The solution is to configure your router to force all DNS traffic through your chosen filtering resolver, regardless of what individual devices are configured to use. By implementing firewall rules at the router level, you can ensure that DNS queries to unauthorized resolvers are either blocked or transparently redirected to your CleanBrowsing server. This makes local DNS changes ineffective — the router overrides them silently.

The fundamental approach to locking DNS uses two firewall rules that work together. These rules are configured on your router and apply to all traffic passing through the network:

• Rule 1 — ALLOW: Permit DNS traffic (port 53, both TCP and UDP) to your chosen DNS resolver IPs. For CleanBrowsing, these are 185.228.168.168 and 185.228.169.168.
• Rule 2 — BLOCK: Block all other DNS traffic on port 53 (TCP and UDP) to any destination not specified in Rule 1.

The allow rule takes priority, so DNS queries directed at CleanBrowsing work normally. Any attempt to use a different DNS server — whether it is Google (8.8.8.8), Cloudflare (1.1.1.1), Quad9 (9.9.9.9), or any other resolver — is blocked by the second rule. The device making the unauthorized DNS request will simply receive no response, and the user will be unable to resolve domain names through any server other than CleanBrowsing.

Some routers also support DNS redirection using DNAT (Destination Network Address Translation) rules. Instead of blocking unauthorized DNS queries, DNAT transparently redirects them to your chosen resolver. This is often a better user experience because the device still receives a valid DNS response — it just comes from CleanBrowsing instead of the server the device intended to use. The user may not even realize their DNS change was overridden.

A typical DNAT rule looks like this in iptables syntax:

iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination 185.228.168.168:53

This rule intercepts all outbound DNS queries on UDP port 53 and rewrites the destination to CleanBrowsing's IP address. Combined with a similar rule for TCP port 53, this ensures comprehensive DNS redirection for standard (unencrypted) DNS traffic.

Many consumer routers from ISPs and retail stores do not expose firewall rule configuration in their web interface. If your router's admin panel does not allow you to create custom firewall rules, you have several options to consider:

• DD-WRT: An open-source router firmware that provides full firewall control, including iptables rules and DNS redirection. Check compatibility at dd-wrt.com. In DD-WRT, you can enable "Forced DNS Redirection" under the Basic Setup page, and configure your CleanBrowsing IPs in the Static DNS fields.
• OpenWrt: Another popular open-source firmware option with extensive firewall capabilities. OpenWrt provides a web-based firewall configuration tool (LuCI) as well as command-line access for advanced iptables rules.
• Ubiquiti (UniFi / EdgeRouter): Ubiquiti's product line is designed for advanced networking and provides full firewall rule support out of the box. The UniFi Dream Machine and EdgeRouter series are popular choices for families and small organizations that need DNS locking.
• MikroTik: Professional-grade routers with comprehensive firewall and NAT capabilities. MikroTik's RouterOS supports DNS redirection natively.
• pfSense / OPNsense: Open-source firewall distributions that run on standard PC hardware. These offer the most flexibility but require more technical knowledge to set up.

If replacing your router is not practical, you can also add a second router behind your ISP's router. Connect the new router's WAN port to a LAN port on the ISP router, configure DNS and firewall rules on the new router, and connect your devices to the new router's WiFi. See our guide on what to do when your router doesn't allow DNS changes for detailed instructions on this approach.

After configuring your firewall rules, it is important to verify that DNS locking is actually working. The test is straightforward: try to use a non-CleanBrowsing DNS server from a device on your network and see what happens.

From any device connected to your network, temporarily change the DNS settings to a non-CleanBrowsing server — for example, Cloudflare's 1.1.1.1. Then open a terminal or command prompt and run:

nslookup example.com 1.1.1.1

If DNS redirection (DNAT) is working correctly, you will still receive a valid response, but the query will have been silently redirected to CleanBrowsing's resolver. You can confirm this by querying a domain you know is blocked by your CleanBrowsing filter — if the domain is still blocked even though you specified a different DNS server, redirection is working.

If you used the blocking approach (instead of DNAT), the nslookup command should time out or return an error, because the DNS query to 1.1.1.1 was blocked by your firewall rule. Either result confirms that local DNS changes are being overridden by the router.

Remember that these firewall rules only affect standard DNS traffic on port 53. Encrypted DNS protocols like DNS-over-HTTPS (DoH) use port 443 and require additional mitigation. See our guide on preventing DNS filter bypass for a comprehensive approach that addresses encrypted DNS and VPN-based bypass methods as well.