When you configure DNS filtering on your router, all devices on your network use your chosen DNS resolver — such as CleanBrowsing — to look up domain names. This is what makes content filtering work. However, any user with access to their device's network settings can manually change the DNS server to a non-filtering resolver like Google (8.8.8.8) or Cloudflare (1.1.1.1), instantly bypassing your content filter.
This is not a hypothetical concern. It is one of the most common methods of filter bypass, and it requires no technical expertise. On most operating systems, changing DNS settings takes less than a minute and can be done by following a simple online tutorial. Children, students, and employees who want to access blocked content will find these tutorials quickly.
The solution is to configure your router to force all DNS traffic through your chosen filtering resolver, regardless of what individual devices are configured to use. By implementing firewall rules at the router level, you can ensure that DNS queries to unauthorized resolvers are either blocked or transparently redirected to your CleanBrowsing server. This makes local DNS changes ineffective — the router overrides them silently.