IT Admin Guide to Deploying CleanBrowsing DNS Filtering

A complete deployment guide for IT administrators. From initial account setup to network-wide enforcement, multi-site management, and compliance reporting.

View Pricing Plans

Step 1: Account Setup & IP Binding

Start by creating a paid CleanBrowsing account and binding your network's public IP address. This is how CleanBrowsing identifies your network and applies your custom filter settings.

Key Tasks

  • Set Up Your Paid Account — Access your dashboard, get your assigned DNS IPs, and bind your public IP.
  • Why Your Public IP Matters — How IP binding works, handling dynamic IPs with DDNS, and when IP-based identification isn't enough.
  • CGNAT Issues — If you're on T-Mobile, Starlink, or another CGNAT provider, you share a public IP with other customers. Use DNS profiles with DoT authentication instead.

Dynamic IP Handling

If your ISP assigns a dynamic IP, set up the CleanBrowsing DDNS updater or use the API from a cron job to keep your IP current. IP changes that aren't updated will cause filtering to stop working.

Step 2: Network-Wide DNS Deployment

Deploy CleanBrowsing DNS across your network. The goal is to ensure every device uses CleanBrowsing as its DNS resolver — with no exceptions.

Deployment Options

  • Router vs Device Deployment — Router-level is best for most networks. Device-level is needed when the router doesn't support custom DNS.
  • Router Won't Allow DNS Changes — ISP routers (AT&T, Comcast) that lock DNS. Workarounds: IP passthrough, adding your own router, or device-level configuration.
  • Windows DNS Configuration — Setting DNS on Windows 10/11 via Settings UI, PowerShell, or Group Policy (for domain-joined machines).

Encrypted DNS

For organizations that need encrypted DNS queries (required for some compliance frameworks), CleanBrowsing supports both DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT). See What is Encrypted DNS? for configuration details.

Network Segmentation by SSID & VLAN

If your network hosts different types of users — staff and students, employees and guests, a main campus and a temporary program — you can apply different CleanBrowsing filter profiles to each group without touching individual devices. The approach is network segmentation: each audience gets its own SSID, backed by its own VLAN and DHCP scope, which pushes a different set of CleanBrowsing DNS IPs.

How It Works

  1. Create a dedicated SSID for the user group you want to filter differently (for example, a guest or program network with its own PSK).
  2. Back it with its own VLAN. The SSID must be on a separate VLAN — not just a separate wireless name on the same subnet.
  3. Create a separate DHCP scope for that VLAN and set the DNS servers in that scope to the CleanBrowsing IPs assigned to the appropriate profile.
  4. In your CleanBrowsing dashboard, create a profile for that segment, configure the filters you want, and note the DNS IPs assigned to it.

The critical requirement: the SSID alone is not enough. If two SSIDs share the same VLAN and DHCP scope, devices on both get the same DNS assignment regardless of which SSID they joined. The DNS separation only works when each SSID is on its own VLAN with its own DHCP scope.

Common Use Cases

  • College / summer programs: Separate SSID for camp or program attendees (stricter filtering) running alongside the main campus network.
  • K-12 schools: Staff SSID with lighter filters; student SSID with full CIPA-compliant filtering.
  • Business: Corporate SSID with productivity filters; guest WiFi with adult content and malware blocking only.
  • Hospitality / retail: Staff network separate from public customer WiFi.

Step 3: Configure Content Filters

With DNS deployed, configure what content to block. CleanBrowsing offers 23+ predefined categories that can be toggled independently.

Filter Configuration

  • All 23+ Content Filters — Full breakdown of every filter category: adult content, malware, VPNs, gaming, social media, streaming, AI chatbots, and more.
  • Free vs Paid Plans — What's included in each plan tier and when you need to upgrade.
  • Enforce SafeSearch — How CleanBrowsing enforces SafeSearch on Google, Bing, and YouTube. Manual VIP configuration for networks that need it.
  • Create a Whitelist Environment — For labs, kiosks, or testing stations: block everything except a curated list of approved domains.

Recommended Configurations by Environment

Environment Recommended Filters Notes
K-12 Schools Adult + VPN + Gaming + Social Media + Essay Mills + AI Chatbots Meets CIPA requirements
Libraries Adult + Malware + VPN Balance open access with CIPA compliance
Business Adult + Malware + Streaming + Social Media Adjust per department using filter profiles
Public Wi-Fi Adult + Malware + VPN + Gambling Protect guests; use Wi-Fi provider features

Step 4: Enforce DNS & Prevent Bypass

DNS filtering only works if devices actually use your DNS servers. Users (especially students) will attempt to bypass filters using VPNs, alternative DNS, or browser-level DoH. Lock it down.

Enforcement Steps

  • Lock DNS Settings — Use firewall rules (iptables/nftables) to redirect all DNS traffic (port 53) to CleanBrowsing, regardless of what DNS servers devices request.
  • Disable Browser DoH — Chrome, Firefox, and Edge have built-in DoH that bypasses network DNS. Deploy browser policies via GPO or MDM to disable it.
  • Block VPN Access — Block VPN provider domains via DNS filtering and block common VPN ports (1194, 1723, 500, 4500) at the firewall.
  • Block Tor — Block Tor directory authorities and relay IPs at the firewall. DNS filtering alone cannot block Tor.
  • Complete Bypass Prevention — The full guide: forced DNS redirection, DoH/DoT blocking, VPN blocking, and endpoint controls.

Understanding the Threats

Step 5: Troubleshoot Common Issues

After deployment, verify that filtering is working and address any conflicts.

Verification & Troubleshooting

  • Verify DNS Configuration — Run DNS leak tests and nslookup checks to confirm CleanBrowsing is active on each network segment.
  • Services That Conflict with DNS Filtering — Comcast xFi, Avast Real Site, AT&T routers, Eero Secure, and T-Mobile Home Internet all interfere with custom DNS. Workaround for each.
  • Understanding DNS TTL — Filter changes take effect within minutes on CleanBrowsing's side, but cached DNS records on devices may persist until the TTL expires. Flush DNS caches on devices for immediate effect.
  • Why DNS Can't Identify Devices — DNS resolvers see your network's public IP, not individual devices. For per-device reporting, deploy CleanBrowsing agents or use VLAN segmentation.

Step 6: Multi-Site & MSP Management

For organizations managing multiple locations or MSPs managing multiple clients, CleanBrowsing offers a multi-tenant management platform.

MSP Fleet Deployment

  • Deploy Windows App via Intune — Push the CleanBrowsing Windows client silently to managed Windows devices using Microsoft Intune or any RMM tool. Pre-configure the DNS filter, PIN lock, uninstall protection, and browser hardening from a single deployment command.

Multi-Site & Partner Features

  • MSP & Partner Dashboard — Manage multiple customer accounts from a single dashboard. Centralize billing, create independent filter profiles per client, and monitor usage across all accounts.
  • How Categorify Works — Understand the ML-powered engine behind CleanBrowsing's domain categorization. Useful for evaluating filtering accuracy and understanding why specific domains are categorized the way they are.
  • Is CleanBrowsing Effective? — Independent testing results and filtering accuracy data. Useful for procurement justification and vendor evaluation.

Compliance

Ready to deploy CleanBrowsing across your network?

Deploy in minutes and secure every device on your network with ease.

View Pricing Plans