How to Prevent DNS Filter Bypass: VPN, DoH & DoT Blocking

DNS-based content filtering works by intercepting domain name lookups and blocking access to domains in restricted categories. This is effective, lightweight, and easy to deploy — but it has a fundamental dependency: the device must actually use your DNS resolver. If a user can send their DNS queries to a different server, or tunnel them through an encrypted connection, the filter is bypassed entirely.

Users bypass DNS filtering in three primary ways, each exploiting a different weakness:

• Changing local DNS settings: The simplest method. A user manually sets their device's DNS to a non-filtering resolver like Google (8.8.8.8) or Cloudflare (1.1.1.1). This overrides the DNS server provided by your router via DHCP, and all queries go to the alternate resolver — unfiltered.
• DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT): These encrypted DNS protocols send DNS queries through encrypted channels to a resolver of the user's choice. Because the queries are encrypted, your network cannot inspect or redirect them. Modern browsers like Firefox and Chrome have built-in DoH support that can be enabled with a few clicks.
• VPN connections: A VPN creates an encrypted tunnel that carries all traffic — including DNS — through a remote server. The VPN provider's DNS resolver handles lookups inside the tunnel, completely bypassing your network's DNS configuration.

Each method requires a different mitigation strategy. The following steps address each one individually, from the simplest to block (local DNS changes) to the most challenging (VPNs).

The most common bypass method is simply changing DNS settings on a device. It requires no special software and can be done in under a minute on any operating system. Fortunately, it is also the easiest method to prevent — with the right firewall rules on your router.

The approach uses two firewall rules:

• ALLOW TCP and UDP traffic on port 53 to CleanBrowsing's IP range (185.228.168.0/23)
• BLOCK all other TCP and UDP traffic on port 53 to any destination

With these rules in place, DNS queries to CleanBrowsing pass through normally, while queries to any other DNS server are silently dropped. If a user changes their device's DNS to 8.8.8.8, the query is blocked by the firewall, and the device receives no response. Most devices will then fall back to the DHCP-provided DNS (your router's setting, which points to CleanBrowsing), restoring filtered resolution.

For a smoother user experience, consider using DNS redirection (DNAT) instead of blocking. A DNAT rule transparently rewrites the destination of unauthorized DNS queries to point to CleanBrowsing. The user's device still gets a response — it just comes from CleanBrowsing instead of the server they intended. This avoids timeout errors and makes the override invisible to the user.

A typical iptables DNAT rule looks like:

iptables -t nat -A PREROUTING -p udp --dport 53 ! -d 185.228.168.0/23 -j DNAT --to-destination 185.228.168.168:53

For detailed, step-by-step instructions on configuring these rules on various router platforms, see our guide on how to lock DNS settings.

DNS-over-HTTPS (DoH) encrypts DNS queries and sends them over HTTPS (port 443) — the same port used by all regular web traffic. This makes DoH significantly harder to block than standard DNS, because you cannot simply block port 443 without also blocking all web browsing. DoH is built into modern browsers like Firefox and Chrome, and users can enable it in browser settings to bypass your DNS filter without installing any additional software.

Despite the difficulty, there are several effective mitigations:

• Mozilla canary domain: CleanBrowsing supports Mozilla's canary domain mechanism (use-application-dns.net). When Firefox detects that this domain is blocked by the network's DNS resolver (which CleanBrowsing does), it automatically disables DoH and falls back to standard DNS. This is the simplest and most effective mitigation for Firefox users.
• Block DoH provider domains: CleanBrowsing's "Proxy & VPN" content category includes known DoH server domains (like dns.google, cloudflare-dns.com, dns.quad9.net). Enabling this category blocks DNS resolution of these domains, preventing browsers from establishing DoH connections to them.
• Block DoH provider IPs at the firewall: For stronger protection, block the IP addresses of major public DoH providers at the firewall level. The primary targets are Google (8.8.8.8, 8.8.4.4), Cloudflare (1.1.1.1, 1.0.0.1), and Quad9 (9.9.9.9). Blocking HTTPS traffic to these specific IPs prevents DoH connections without affecting general web browsing.
• Disable DoH in browser settings: On managed devices (school Chromebooks, company laptops), use group policies or MDM profiles to disable DoH in browser settings. This is the most reliable approach for devices you administer.

For a detailed walkthrough of disabling DoH in specific browsers, see our guide on how to disable DNS-over-HTTPS.

DNS-over-TLS (DoT) is another encrypted DNS protocol, similar in purpose to DoH but with one important difference: DoT operates on its own dedicated port — TCP port 853. Unlike DoH, which shares port 443 with all HTTPS traffic, DoT's use of a unique port makes it straightforward to identify and block.

To prevent DoT-based bypass, create a single firewall rule:

• BLOCK all outbound TCP traffic on port 853

This rule prevents any device on your network from establishing a DNS-over-TLS connection to any external resolver. Since port 853 is used exclusively for DoT (unlike port 443, which is shared with web traffic), blocking it has no side effects on normal internet usage. Web browsing, email, streaming, and all other services continue to work normally.

Android devices deserve special attention here. Starting with Android 9 (Pie), Android includes a "Private DNS" feature that uses DNS-over-TLS by default. If a user enters a DoT hostname (like dns.google) in the Private DNS setting, all DNS queries from that device are encrypted and sent to the specified resolver on port 853, bypassing your network's DNS filter entirely. Blocking port 853 at the firewall prevents this, forcing the Android device to fall back to standard unencrypted DNS — which is then handled by your router's CleanBrowsing configuration.

Note that blocking port 853 only prevents DoT to external resolvers. If you want to use CleanBrowsing's own DoT service for encrypted resolution, you would need to create an allow rule for CleanBrowsing's IP addresses on port 853 before the block rule, similar to the approach used for standard DNS in Step 2.

VPNs are the most challenging bypass method to counter. A VPN encrypts all traffic — not just DNS — and routes it through a remote server. Inside the encrypted tunnel, the VPN provider's own DNS resolver handles lookups, completely bypassing your network's DNS configuration. Unlike DoH and DoT, which only encrypt DNS queries, a VPN makes all internet activity invisible to your network.

Effective VPN prevention requires a multi-layered approach:

• DNS-level blocking: Enable CleanBrowsing's "Proxy & VPN" content category to block DNS resolution of known VPN provider domains (nordvpn.com, expressvpn.com, protonvpn.com, etc.). This prevents users from visiting VPN websites, downloading VPN apps, and resolving VPN server hostnames.
• Firewall port blocking: Block common VPN protocol ports at the router firewall:
  • OpenVPN: UDP port 1194
  • WireGuard: UDP port 51820
  • L2TP: UDP port 1701
  • IKEv2/IPSec: UDP ports 500 and 4500
  • PPTP: TCP port 1723
• Device management: On managed devices, restrict app installations to prevent users from downloading VPN apps. Use MDM profiles, Screen Time (iOS), or Family Link (Android) to control which apps can be installed.
• Traffic monitoring: Monitor for unusual patterns of encrypted traffic. A device sending large volumes of data to a single IP address on an unusual port may indicate a VPN connection.

It is important to acknowledge a limitation: sophisticated VPN services can tunnel traffic over port 443 (HTTPS), making the VPN connection indistinguishable from normal web browsing at the network level. Some VPN providers specifically design their protocols to evade detection — a technique called obfuscation. No firewall rule can reliably block these connections without also blocking legitimate HTTPS traffic.

This is why no single solution blocks all VPNs. Effective prevention requires combining DNS filtering (to block VPN provider domains), firewall rules (to block known VPN ports), device management (to prevent VPN app installation), and monitoring (to detect bypass attempts). The goal is to make VPN usage difficult enough that casual attempts fail, while recognizing that a determined and technically skilled user may find ways around these controls.

For a detailed walkthrough of VPN blocking strategies, see our guide on how to block VPN access on your network.