IT Admin Guide to Deploying CleanBrowsing DNS Filtering

Step 1: Account Setup & IP Binding

Start by creating a paid CleanBrowsing account and binding your network's public IP address. This is how CleanBrowsing identifies your network and applies your custom filter settings.

Key Tasks

• Set Up Your Paid Account — Access your dashboard, get your assigned DNS IPs, and bind your public IP.
• Why Your Public IP Matters — How IP binding works, handling dynamic IPs with DDNS, and when IP-based identification isn't enough.
• CGNAT Issues — If you're on T-Mobile, Starlink, or another CGNAT provider, you share a public IP with other customers. Use DNS profiles with DoT authentication instead.

Dynamic IP Handling

If your ISP assigns a dynamic IP, set up the CleanBrowsing DDNS updater or use the API from a cron job to keep your IP current. IP changes that aren't updated will cause filtering to stop working.

Step 2: Network-Wide DNS Deployment

Deploy CleanBrowsing DNS across your network. The goal is to ensure every device uses CleanBrowsing as its DNS resolver — with no exceptions.

Deployment Options

• Router vs Device Deployment — Router-level is best for most networks. Device-level is needed when the router doesn't support custom DNS.
• Router Won't Allow DNS Changes — ISP routers (AT&T, Comcast) that lock DNS. Workarounds: IP passthrough, adding your own router, or device-level configuration.
• Windows DNS Configuration — Setting DNS on Windows 10/11 via Settings UI, PowerShell, or Group Policy (for domain-joined machines).

Encrypted DNS

For organizations that need encrypted DNS queries (required for some compliance frameworks), CleanBrowsing supports both DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT). See What is Encrypted DNS? for configuration details.

Step 3: Configure Content Filters

With DNS deployed, configure what content to block. CleanBrowsing offers 23+ predefined categories that can be toggled independently.

Filter Configuration

• All 23+ Content Filters — Full breakdown of every filter category: adult content, malware, VPNs, gaming, social media, streaming, AI chatbots, and more.
• Free vs Paid Plans — What's included in each plan tier and when you need to upgrade.
• Enforce SafeSearch — How CleanBrowsing enforces SafeSearch on Google, Bing, and YouTube. Manual VIP configuration for networks that need it.
• Create a Whitelist Environment — For labs, kiosks, or testing stations: block everything except a curated list of approved domains.

Recommended Configurations by Environment

Step 4: Enforce DNS & Prevent Bypass

DNS filtering only works if devices actually use your DNS servers. Users (especially students) will attempt to bypass filters using VPNs, alternative DNS, or browser-level DoH. Lock it down.

Enforcement Steps

• Lock DNS Settings — Use firewall rules (iptables/nftables) to redirect all DNS traffic (port 53) to CleanBrowsing, regardless of what DNS servers devices request.
• Disable Browser DoH — Chrome, Firefox, and Edge have built-in DoH that bypasses network DNS. Deploy browser policies via GPO or MDM to disable it.
• Block VPN Access — Block VPN provider domains via DNS filtering and block common VPN ports (1194, 1723, 500, 4500) at the firewall.
• Block Tor — Block Tor directory authorities and relay IPs at the firewall. DNS filtering alone cannot block Tor.
• Complete Bypass Prevention — The full guide: forced DNS redirection, DoH/DoT blocking, VPN blocking, and endpoint controls.

Understanding the Threats

• What is a VPN? — How VPN tunneling works and why it bypasses DNS filters.
• What is Encrypted DNS? — How DoH and DoT can be used to circumvent DNS filtering, and how to block them.
• Why DNS Can't Block IP Addresses — Understand the limitations: DNS filtering requires a domain lookup. Direct IP connections bypass it entirely.

Step 5: Troubleshoot Common Issues

After deployment, verify that filtering is working and address any conflicts.

Verification & Troubleshooting

• Verify DNS Configuration — Run DNS leak tests and nslookup checks to confirm CleanBrowsing is active on each network segment.
• Services That Conflict with DNS Filtering — Comcast xFi, Avast Real Site, AT&T routers, Eero Secure, and T-Mobile Home Internet all interfere with custom DNS. Workaround for each.
• Understanding DNS TTL — Filter changes take effect within minutes on CleanBrowsing's side, but cached DNS records on devices may persist until the TTL expires. Flush DNS caches on devices for immediate effect.
• Why DNS Can't Identify Devices — DNS resolvers see your network's public IP, not individual devices. For per-device reporting, deploy CleanBrowsing agents or use VLAN segmentation.

Step 6: Multi-Site & MSP Management

For organizations managing multiple locations or MSPs managing multiple clients, CleanBrowsing offers a multi-tenant management platform.

Multi-Site & Partner Features

• MSP & Partner Dashboard — Manage multiple customer accounts from a single dashboard. Centralize billing, create independent filter profiles per client, and monitor usage across all accounts.
• How Categorify Works — Understand the ML-powered engine behind CleanBrowsing's domain categorization. Useful for evaluating filtering accuracy and understanding why specific domains are categorized the way they are.
• Is CleanBrowsing Effective? — Independent testing results and filtering accuracy data. Useful for procurement justification and vendor evaluation.

Compliance

• CIPA Compliance — How CleanBrowsing meets Children's Internet Protection Act requirements for schools and libraries receiving E-Rate funding.
• DNS Filtering for Schools — School-specific deployment guidance and feature overview.
• DNS Filtering for Business — Business-specific deployment and productivity filtering.