Services That Conflict with DNS Filtering (And How to Fix Them)

Step 1: Comcast Xfinity "Protected Browsing"

Comcast's xFi Advanced Security feature hijacks DNS queries and routes them through Comcast's own resolvers, regardless of what DNS servers you have configured. This means even if you set CleanBrowsing DNS on your router, Comcast silently overrides it.

How to Identify This Issue

Run a DNS verification test. If you see Comcast/Xfinity DNS servers instead of CleanBrowsing IPs (185.228.168.x), xFi Advanced Security is intercepting your DNS.

Workaround

• Option 1: Disable xFi Advanced Security in the Xfinity app (Account → Internet → Advanced Security → Turn Off).
• Option 2: Use device-level DNS configuration instead of router-level. Configure CleanBrowsing DNS directly on each device's network settings.
• Option 3: Use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) on your devices, which encrypts DNS queries and prevents Comcast from intercepting them.

Step 2: Avast "Real Site" Feature

Avast antivirus (and AVG, which uses the same engine) includes a "Real Site" feature that intercepts all DNS queries through its own DNS proxy. This is designed to protect against phishing by verifying DNS responses, but it completely overrides any custom DNS configuration including CleanBrowsing.

How to Identify This Issue

If CleanBrowsing works on devices without Avast but not on devices with Avast installed, the Real Site feature is likely the cause.

Workaround

Disable Real Site in Avast settings:

• Step 1: Open Avast and go to Menu → Settings.
• Step 2: Navigate to Protection → Core Shields.
• Step 3: Find Real Site and toggle it off.

Note: Disabling Real Site does not significantly reduce your security if you are already using CleanBrowsing's Security or Family filter, which blocks phishing domains at the DNS level.

Step 3: AT&T Routers

Many AT&T gateway routers (especially the BGW210, BGW320, and Pace 5268AC) do not allow custom DNS settings, or they silently override DNS changes you make in the router admin panel. AT&T routes DNS through their own resolvers as part of their network management.

Workaround

• IP Passthrough Mode: If available on your AT&T gateway, enable IP Passthrough mode. This passes the public IP directly to a device behind it (like your own router), giving you full control over DNS.
• Add Your Own Router: Place your own router behind the AT&T gateway. Configure CleanBrowsing DNS on your router, which handles DNS for all devices on your network. See our router workaround guide.
• Device-Level DNS: Configure DNS on individual devices instead of the router. This bypasses the AT&T gateway's DNS interception for those devices.

Step 4: Eero Secure

Amazon's Eero mesh routers offer an optional "Eero Secure" (formerly Eero Secure+) subscription that includes content filtering and ad blocking. When active, Eero Secure tunnels all DNS traffic through Eero's own filtering infrastructure, completely overriding any custom DNS settings.

Workaround

• Cancel Eero Secure: Remove the Eero Secure subscription to regain control over DNS settings. Without the subscription active, you can set custom DNS in the Eero app (Network Settings → DNS).
• Device-Level DNS: As an alternative, configure DNS directly on each device. This bypasses the Eero router's DNS settings entirely.

Note: Eero Secure and CleanBrowsing cannot coexist. You must choose one or the other for DNS-based filtering. CleanBrowsing offers significantly more granular filtering categories and customization than Eero Secure.

Step 5: T-Mobile Home Internet

T-Mobile Home Internet presents a unique challenge: it blocks DNS-over-HTTPS (DoH) connections on their network. Standard DNS (port 53) works normally, and DNS-over-TLS (DoT) also works as an alternative.

Workaround

• Use Standard DNS: Configure CleanBrowsing's standard DNS IPs (e.g., 185.228.168.168 / 185.228.169.168) on your devices or router. Standard DNS works without issues on T-Mobile.
• Use DNS-over-TLS (DoT): If you need encrypted DNS, use CleanBrowsing's DoT endpoint: cleanbrowsing.org on port 853. DoT is not blocked by T-Mobile.
• Avoid DoH: Do not configure DNS-over-HTTPS on T-Mobile Home Internet, as these connections will be blocked or timeout.

T-Mobile also uses CGNAT (Carrier-Grade NAT), which means you share a public IP with other T-Mobile customers. This can affect IP-based DNS filtering. Use CleanBrowsing's DNS profiles with DoT authentication instead of IP-based binding.