Troubleshooting DNS Blocking on Embedded Devices

Step 1: Check the CleanBrowsing Activity Log

This is always the right starting point. The activity log tells you two critical things at once: whether CleanBrowsing is seeing the device's DNS queries at all, and whether any of those queries are being blocked. The answer determines everything else.

How to Check

1. Log in to your dashboard at my.cleanbrowsing.org.
2. Go to Activity Monitoring and filter by the IP address of the problem device.
3. Reproduce the issue — trigger the connection or action that is failing on the device.
4. Refresh the log and look for activity from that IP.

What the Log Tells You

• Queries appear and one is blocked (NXDOMAIN): CleanBrowsing is seeing the device. A specific domain is being blocked — add it to your custom allow list under the relevant profile. You can stop here.
• Queries appear but nothing is blocked: CleanBrowsing is seeing the device but DNS is not the problem. The issue may be at the application layer, firewall, or port level.
• No queries at all from that IP: The device's DNS is not routing through CleanBrowsing. This is a network-level routing problem. Proceed to Step 2.

Step 2: Check DHCP / Router DNS Assignment

If the activity log shows no queries from the device, it is resolving DNS through a different server — not CleanBrowsing. Since you cannot check the device's network settings directly, the next place to look is your DHCP server or router.

Log in to your router or DHCP server and find the lease entry for the device's MAC address. Check what DNS servers are being assigned to it. If the device was added to the network later than others, it may have been placed on a different VLAN, subnet, or DHCP scope that does not have CleanBrowsing configured as the DNS resolver.

Compare the DHCP configuration for the working devices against the problem device. The DNS server pushed by DHCP should be identical. If it is not, update the scope or VLAN configuration so that CleanBrowsing is assigned to that device.

Common reasons a device gets different DNS via DHCP:

• Different VLAN or subnet: The device landed on a network segment with a separate DHCP scope that does not include CleanBrowsing DNS.
• Multiple DHCP servers: A secondary DHCP server on the network is answering first and pushing different DNS settings.
• Static IP configured on the device: The device is not using DHCP at all and has hardcoded DNS settings. Check the device's web interface (Step 3).

Step 3: Check the Device's Web Interface

Most embedded devices — IP phones, smart TVs, printers, access points — have a browser-accessible admin interface. This lets you view (and sometimes change) the device's network configuration, including DNS, without needing physical access or a terminal.

How to Access It

1. Find the device's IP address — usually visible in the device's on-screen settings menu, or in your DHCP lease table.
2. Open a browser on a computer on the same network and navigate to http://<device-ip>.
3. Log in using the device's admin credentials. Check your provisioning system or the manufacturer's documentation for defaults.
4. Find the network or DNS settings and confirm what DNS servers are configured.

CleanBrowsing's DNS resolver IPs are 185.228.168.x and 185.228.169.x. If the device shows different IPs, that is the root cause — the fix is at the DHCP or device provisioning level.

Note: some devices do not have a web interface, or may have DNS hardcoded via a provisioning server rather than DHCP. In that case, the fix needs to happen at the provisioning system level, not on the device itself.

Step 4: Network-Level Packet Capture

If the steps above have not identified the issue, a packet capture is the next tool. You run it from a computer on the same network segment as the device, filtering traffic by the device's IP address. This shows you every DNS query the device makes and every response it receives — without touching the device at all.

Mac / Linux — tcpdump

Replace <device-ip> with the actual IP address of the problem device:

To save the output to a file for later review:

Windows — netsh trace

Open Command Prompt as Administrator:

With Wireshark

If you have Wireshark available, run a capture and use this display filter to isolate the device's DNS traffic:

What to Look For

• NXDOMAIN responses: A domain is being blocked by CleanBrowsing. Add it to your allow list.
• No DNS queries from the device: The device may have DNS hardcoded and is bypassing DHCP entirely. Fix it at the provisioning level.
• Queries going to an unexpected IP: The device is bypassing CleanBrowsing. Correct the DHCP or VLAN configuration for that segment.
• DNS resolves correctly but connection still fails: DNS is not the issue — the problem is at the application, port, or firewall level.

VOIP-Specific Notes

VOIP phones use SIP (Session Initiation Protocol) to register with their cloud server and set up calls. SIP runs on port 5060. If a VOIP phone is connecting but calls are failing, or the phone cannot register, there is an additional layer to capture beyond DNS.

Capture DNS and SIP Together

On Mac / Linux, include port 5060 alongside DNS:

In Wireshark, add SIP to the display filter:

How to Read the Results

• DNS resolves but SIP registration fails: The VOIP server domain is resolving correctly but something is blocking the SIP connection at the network or firewall level — DNS is not the issue.
• DNS query for the VOIP server returns NXDOMAIN: CleanBrowsing is blocking the domain the phone uses to reach its cloud server. Add that domain to your allow list.
• No DNS query for the VOIP server at all: The phone may have the server IP hardcoded and is not using DNS — or its DNS is not routing through CleanBrowsing at all. Go back to Step 2.

If you are unsure how to interpret the capture output, share it with your support team along with the phone's IP address and the exact time the failure occurred.