What is CGNAT (Carrier-Grade NAT)?

How Shared Public IPs Impact DNS Filtering and Network Services

Carrier-Grade NAT (CGNAT) is a technique used by ISPs and mobile carriers to share a single public IP address across multiple customers. This creates challenges for DNS filtering, port forwarding, and IP-based services. Learn how it works and what you can do.

Get Started

Step 1: What is CGNAT?

CGNAT (Carrier-Grade NAT) is a network address translation technique where ISPs assign a single public IP address to many customers simultaneously. Instead of each household receiving its own unique public IP, dozens or even hundreds of users share one.

This practice is common among mobile carriers like T-Mobile, and increasingly among traditional ISPs dealing with IPv4 address exhaustion. With only ~4.3 billion IPv4 addresses available globally, CGNAT allows providers to serve more customers without running out of addresses.

You can tell if you're behind CGNAT by comparing your router's WAN IP address with your public IP at dnsleaktest.com. If they don't match, you're likely behind CGNAT. Another indicator is a WAN IP in the 100.64.0.0/10 range, which is reserved specifically for CGNAT.

Step 2: How CGNAT Affects DNS Filtering

DNS filtering services that use IP-based authentication — like CleanBrowsing's paid plans — identify your network by its public IP address. With CGNAT, multiple unrelated customers share the same public IP, which causes several issues:

  • Inconsistent filtering: The service may not reliably match your network to your account since the IP is shared
  • Cross-user conflicts: Filtering rules could potentially affect the wrong users who share the same IP
  • Status instability: Your account may switch between "active" and "inactive" as the shared IP rotates among users

Important: CleanBrowsing's free DNS filters and encrypted DNS (DoH/DoT) connections are not affected by CGNAT. These methods don't rely on public IP identification to apply filtering rules.

Step 3: Other CGNAT Impacts

Beyond DNS filtering, CGNAT creates challenges across several areas:

  • Port forwarding: You cannot forward ports to host game servers, web servers, security cameras, or other services that need incoming connections
  • Remote access: Connecting to your home network remotely (SSH, VPN, RDP) becomes impossible without workarounds
  • Gaming and P2P: Some multiplayer games and peer-to-peer applications experience connectivity issues or increased latency
  • IP reputation: If another user on your shared IP engages in abuse, your IP reputation suffers — potentially causing CAPTCHAs, rate limiting, or blocks on websites
  • DoH blocking: Some carriers like T-Mobile actively block DNS-over-HTTPS traffic, affecting apps and services that rely on DoH. DNS-over-TLS (DoT) typically remains unaffected

Step 4: Workarounds for CGNAT

If you're behind CGNAT, several options can help maintain reliable DNS filtering:

  • Use encrypted DNS (DoH/DoT): DNS-over-HTTPS and DNS-over-TLS identify your account through encrypted DNS stamps rather than public IP, making CGNAT irrelevant
  • Use CleanBrowsing apps: Our iOS and Android apps use private DNS configurations that don't depend on IP-based authentication
  • Request a static IP: Contact your ISP about a dedicated static IP address. This may cost an additional monthly fee but eliminates CGNAT issues entirely
  • Use IPv6: If your ISP supports IPv6, these addresses are inherently unique and don't require NAT. CleanBrowsing supports IPv6 filtering
  • Dynamic DNS updaters: For paid plans, use CleanBrowsing's Dynamic Device links or services like No-IP and DynDNS to automatically update your IP when it changes

For most home users behind CGNAT, the simplest solution is to use CleanBrowsing's free filters or configure encrypted DNS — both work perfectly regardless of your IP situation.

CleanBrowsing works with CGNAT via encrypted DNS

See Our Setup Options