What is NAT?

• Outbound translation: When a device sends traffic to the internet, the router replaces the private source IP with the public IP and records the mapping
• Inbound translation: When a response comes back, the router uses its mapping table to forward the traffic to the correct internal device
• Port tracking: NAT uses port numbers to distinguish between connections from different internal devices sharing the same public IP
• Transparent operation: Devices on the network don't need to know about NAT — it operates automatically at the router level

NAT is transparent to DNS filtering. When your devices send DNS queries to CleanBrowsing, those queries arrive from your public IP — regardless of which internal device originated them.

This means all devices behind NAT share the same filter profile when using network-level DNS filtering. To apply different filtering rules to different devices, you can use device-level deployment with encrypted DNS (DoH/DoT) and different profile credentials per device.

Carrier-Grade NAT (CGNAT) takes NAT a step further — ISPs apply NAT at their level, meaning multiple customers share a single public IP. This creates challenges for DNS filtering because CleanBrowsing can't distinguish between different households sharing the same public IP.

Solutions for CGNAT environments include using encrypted DNS with per-device credentials or deploying via MDM solutions like Intune or Mosyle.

IPv6 eliminates the need for NAT entirely by providing enough addresses for every device. On the authoritative DNS side, NOC.org supports both IPv4 and IPv6 DNS records.