Router Won't Allow DNS Changes? Here's How to Fix It

Some Internet Service Providers — notably AT&T, Comcast/Xfinity, Spectrum, and others — restrict or entirely remove DNS configuration options from the routers they provide to customers. The DNS settings in the router's admin panel may be grayed out, hidden, or simply absent. This is a deliberate choice by the ISP, and understanding why they do it helps you understand the workarounds available to you.

Controlling DNS gives the ISP visibility into every domain that every device on your network requests. This data is commercially valuable. ISPs can use DNS query logs for analytics, targeted advertising, and to build browsing profiles of their customers. Some ISPs also practice DNS hijacking — when you mistype a domain name or visit a domain that does not exist, instead of returning an error, the ISP redirects you to a search page filled with advertisements. This generates revenue for the ISP, but only works if the ISP controls your DNS.

Not all ISPs lock DNS settings, and policies can vary by region and plan. Some ISPs provide a "gateway" device that combines a modem and router in a single unit, and these gateways are especially likely to have restricted settings. If you are unsure whether your router's DNS is locked, the next step will help you test it.

Before assuming your DNS is locked, take a moment to verify what is actually happening. There is a difference between a router that does not allow you to change its DNS settings and an ISP that intercepts all DNS traffic regardless of your settings. The first situation is more common and easier to work around; the second is rarer but more restrictive.

Open a terminal (Command Prompt on Windows, Terminal on macOS or Linux) and run the following command:

nslookup badexample.com 185.228.168.168

This command sends a DNS query directly to CleanBrowsing's server, bypassing your router's DNS configuration entirely. If you get a valid response from CleanBrowsing's server (185.228.168.168), your network allows outbound DNS queries to third-party servers. This means you cannot change the router's default DNS, but you can configure DNS on individual devices or add your own router to the network.

If the query times out or is blocked, your ISP may be intercepting all DNS traffic on port 53 and forcing it through their own resolvers. This is less common but does occur. In this case, you may need to use encrypted DNS (DNS-over-HTTPS or DNS-over-TLS) to reach CleanBrowsing, as encrypted DNS traffic cannot be intercepted by the ISP in the same way.

The most reliable solution to an ISP-locked router is to purchase your own third-party router and connect it behind the ISP's router. This creates a new subnet — a network within a network — that you fully control. Your devices connect to the new router, and you configure DNS, firewall rules, and everything else on hardware that you own and administer.

The setup process is straightforward:

• Connect the hardware: Plug an Ethernet cable from the ISP router's LAN port into the new router's WAN (Internet) port. The ISP router provides internet access; your new router manages your local network.
• Configure DNS on the new router: Log into the new router's admin panel and set the DNS servers to CleanBrowsing: primary 185.228.168.168, secondary 185.228.169.168.
• Connect your devices to the new router: Connect all your devices to the new router's WiFi network instead of the ISP router's network. Disable the ISP router's WiFi if possible, or at minimum do not give the ISP router's WiFi password to users who should be filtered.
• Optional — match SSID and password: To minimize reconfiguration, set the new router's WiFi network name (SSID) and password to match the ISP router's settings. Your devices will connect automatically. Make sure to disable WiFi on the ISP router first to avoid conflicts.

Recommended routers for this purpose include models from Netgear, Linksys, TP-Link, and Ubiquiti. Mesh WiFi systems like Google Wifi, Eero, and TP-Link Deco also work well and provide whole-home coverage. The key requirement is that the router allows you to set custom DNS servers — most third-party routers do.

Once your new router is in place, you can also implement DNS locking with firewall rules to prevent users from changing DNS on their individual devices, giving you complete control over DNS resolution on your network.

If purchasing a new router is not practical — due to budget, rental restrictions, or other constraints — you can configure DNS settings on each device individually. This bypasses the router's DNS configuration entirely, because most operating systems allow you to specify DNS servers at the device level, overriding whatever the router provides via DHCP.

Device-level DNS configuration is supported on all major platforms:

• Windows: Network adapter settings in Control Panel or Settings app. Set DNS to CleanBrowsing's IPs manually.
• macOS: System Settings (or System Preferences) > Network > Advanced > DNS. Add CleanBrowsing's DNS servers.
• iOS: Settings > WiFi > tap the network name > Configure DNS > Manual. Enter CleanBrowsing's IPs.
• Android: Settings > Network > Private DNS (Android 9+). Set to CleanBrowsing's DNS-over-TLS hostname, or configure per-network DNS in WiFi settings.
• Chromebook: Settings > Network > WiFi > Network details > Name servers > Custom. Enter CleanBrowsing's IPs.

The trade-off with device-level configuration is twofold. First, you need to configure each device separately, which is time-consuming if you have many devices. Second, the DNS settings can be changed back by any user with admin or device-owner access. A child who knows how to change DNS settings can undo your configuration just as easily as you set it up.

For a more permanent solution, combine device-level DNS with the techniques described in our guide on locking DNS settings. On managed devices (school Chromebooks, company laptops), you can use device management policies to enforce DNS settings that users cannot change. For personal devices, consider the router-based approach described in Step 3 as the more robust long-term solution.