Why DNS Filtering Can't Block Direct IP Address Access

Step 1: How DNS Resolution Works

DNS is often described as the phonebook of the internet. When you type a domain name like example.com into your browser, your device does not immediately know how to reach that website. It needs to find the IP address of the server hosting example.com — and that is where DNS comes in.

Your device sends a DNS query to a DNS resolver asking: "What is the IP address for example.com?" The resolver looks up the answer — either from its cache or by querying authoritative DNS servers — and returns the IP address (e.g., 93.184.216.34). Your browser then connects to that IP address to load the website.

The critical point is that DNS is only involved in the translation step. It converts a domain name into an IP address. Once that translation is complete, DNS has done its job. The actual connection between your browser and the web server happens independently of DNS — your browser connects directly to the IP address using TCP/IP.

DNS filtering works by intercepting this translation step. When you use a filtering DNS resolver like CleanBrowsing, the resolver checks the requested domain against its categorization database before returning the IP address. If the domain is blocked, the resolver returns a block page IP instead of the real server's IP. If the domain is allowed, the real IP is returned and browsing proceeds normally.

Step 2: Why IP Connections Bypass DNS

When a user or application connects directly to an IP address — for example, by typing http://93.184.216.34 into the browser's address bar — no DNS lookup is needed. The browser already has the IP address, so it skips the DNS resolution step entirely and connects directly to the server.

Because the DNS resolver is never consulted, it has no opportunity to evaluate the request, check it against filtering rules, or return a block page. From the DNS resolver's perspective, the connection never happened. The traffic flows directly from the browser to the destination IP address, bypassing the DNS layer completely.

This is not a flaw in DNS filtering — it is a fundamental characteristic of how internet addressing works. DNS is a name resolution service, not a traffic inspection service. It only comes into play when a domain name needs to be translated. Direct IP connections do not involve domain names, so DNS is inherently excluded from the process.

Several scenarios commonly exploit this behavior:

• Malware and botnets: Many types of malware connect to command-and-control servers using hardcoded IP addresses rather than domain names, specifically to avoid DNS-based detection and blocking.
• Advanced users: Technically savvy users can look up a blocked domain's IP address using external tools and then access it directly, bypassing DNS filtering entirely.
• Applications with embedded IPs: Some applications and services connect to backend servers using IP addresses rather than domain names, making their traffic invisible to DNS filtering.
• VPN and proxy services: VPN clients often connect to their servers using IP addresses, allowing them to tunnel all traffic outside the filtered network.

Step 3: DNS vs Firewall

DNS filtering and firewalls serve different purposes and operate at different layers of the network. Understanding their respective capabilities helps you build a comprehensive security strategy.

Capability	DNS Filtering	Firewall
Block domains by category	Yes	Limited
Block specific domains	Yes	Yes
Block IP addresses	No	Yes
Block IP ranges	No	Yes
Inspect traffic content	No	Yes (NGFW)
Deployment complexity	Low	Higher

DNS filtering excels at category-based domain blocking with minimal deployment effort. It requires no hardware, no software installation, and can be deployed in minutes by changing a DNS setting on your router. It protects every device on the network and supports encrypted DNS protocols for privacy.

Firewalls excel at IP-level control, traffic inspection, and protocol-level filtering. A firewall can block specific IP addresses, entire IP ranges, and specific network ports. Next-generation firewalls (NGFWs) can also inspect traffic content, identify applications, and apply deep packet inspection (DPI) rules.

The two tools are complementary, not competitive. DNS filtering handles the domain-level protection that firewalls struggle with (category-based blocking, threat intelligence feeds, SafeSearch enforcement), while firewalls handle the IP-level and traffic-level protection that DNS cannot provide.

Step 4: What You Can Do Instead

To block connections made directly to IP addresses, you need to implement firewall rules at the network or device level. Here are the most common approaches:

• Router Firewall Rules: Most modern routers include a built-in firewall that can block outbound connections to specific IP addresses or IP ranges. This is the most effective approach for home and small business networks. Configure rules to block known malicious IP ranges or restrict outbound connections to approved destinations.
• Local Device Firewalls: Operating systems include built-in firewalls that can block IP-based connections at the device level. Windows Defender Firewall, macOS pf (packet filter), and Linux iptables/nftables all support IP-based blocking rules. These are useful for locking down individual devices, especially laptops that travel between networks.
• Enterprise Network Firewalls: For organizations, dedicated network firewalls from vendors like pfSense, Fortinet, Palo Alto, or Cisco provide advanced IP blocking, traffic inspection, and threat prevention. These appliances sit between your network and the internet and can enforce comprehensive security policies.
• DNS + Firewall Together: The most effective strategy combines both layers. Use DNS filtering to block domains by category and enforce SafeSearch, and use firewall rules to block known malicious IPs, restrict unauthorized protocols, and prevent direct IP-based bypasses. This layered approach covers the gaps that either tool has individually.

For home users, combining CleanBrowsing DNS filtering with basic router firewall rules provides strong protection against the most common threats. For schools and businesses, adding a dedicated firewall appliance alongside DNS filtering creates a comprehensive security posture that addresses both domain-level and IP-level threats.

Remember that no single tool provides complete protection. The goal is to layer multiple complementary tools so that each one covers the gaps of the others. DNS filtering is the simplest and most impactful first step, and firewall rules provide the next layer of defense.