CleanBrowsing Windows Desktop App

What the App Does

The CleanBrowsing Desktop App automatically configures DNS filtering on all your network interfaces. Instead of manually changing DNS settings through the command prompt or Windows Settings, the app handles everything with a single click.

When you enable a filter, the app:

• Sets your DNS servers to CleanBrowsing's filtered resolvers
• Installs a local DNS proxy (DNSCrypt) for encrypted DNS queries
• Monitors your network for changes and re-applies settings automatically
• Detects DNS tampering — if anyone changes your DNS settings (e.g., through Windows Settings), the app detects it within seconds and re-applies the correct configuration
• Detects captive portals (hotel/airport Wi-Fi) and pauses filtering until you authenticate

The app runs on Windows 10 and Windows 11 (64-bit).

Three Built-in Filter Levels

The app comes with three pre-configured filter levels. Each one maps to a different CleanBrowsing DNS resolver:

• Family Filter — Blocks adult content, mixed content, malware, and phishing domains. Best for families with children.
• Adult Filter — Blocks adult content and malware. Allows mixed-content sites like Reddit and social media.
• Custom Filter — Uses your CleanBrowsing dashboard settings. Requires a paid plan. Lets you create your own allow/block lists and custom policies.

Enable any filter with a single click on the home screen. The app shows a green status indicator when filtering is active and red when it's not.

Paying customers can configure their custom filter through the CleanBrowsing Dashboard.

Browser and System Hardening

The Harden page provides three security features that prevent users from bypassing DNS filtering:

• Application Uninstall Protection — Prevents the app from being removed through Windows Add/Remove Programs (Control Panel) and the Windows 11 Settings → Apps page. Requires your PIN to disable.
• Block Network Settings — Blocks access to DNS and network configuration in both the legacy Control Panel (Network and Sharing Center, Internet Options) and the modern Windows 10/11 Settings app (Network & Internet pages including Ethernet, Wi-Fi, Status, and Proxy). This prevents users from manually changing DNS servers to bypass filtering. Even if settings are accessed through another method, the app detects DNS tampering within seconds and automatically re-applies the correct DNS configuration.
• Browser Secure DNS Hardening — Disables DNS-over-HTTPS (DoH) in Chrome, Edge, Brave, and Firefox. This prevents browsers from bypassing your configured DNS filtering with their own encrypted DNS resolvers.

Each feature can be toggled on or off independently. Disabling a hardening feature requires your local PIN.

Connectivity and Graceful Failure

The app monitors internet connectivity continuously and handles connection problems without disrupting your ability to browse. When a connectivity issue is detected — whether a captive portal, a temporary outage, or an ISP-level DNS problem — the app pauses filtering rather than blocking all traffic.

Captive Portals

When you connect to a network that requires a login page (hotels, airports, coffee shops), the app automatically detects the captive portal and temporarily pauses DNS filtering so you can authenticate. Once the login is complete and internet connectivity is confirmed, the app automatically re-enables filtering. No manual action required.

Graceful Failure and Auto-Recovery

If the app can't reach CleanBrowsing's resolvers for any reason, it defaults back to allowing normal connectivity rather than leaving you unable to browse. The behavior depends on whether a PIN is set:

• No PIN set — The app pauses filtering and shows a connection dialog. When connectivity is restored, it automatically resumes filtering.
• PIN set — The connection dialog gives two options: wait for auto-resume (the default), or choose "Keep Disabled" which requires entering the PIN. This prevents a connectivity blip from being used as a way to permanently disable filtering without authorization.

In both cases, filtering resumes automatically as soon as a stable connection is detected. The app uses a debounce mechanism (three consecutive failed checks) before pausing, so brief interruptions don't trigger unnecessary pauses.

Corporate Network Detection

On laptops that move between your office and remote locations, you can tell the app to pause filtering automatically when it detects the corporate network — letting your internal DNS resolvers take over — and resume filtering as soon as the device leaves. Requires v1.7.8 or later.

To configure it: open Settings → Corporate Network Detection, check the enable box, choose a detection method, enter the matching value, click Test Now to verify, then Save.

Three detection methods are available — pick the one that best matches your network:

• DNS Suffix (recommended) — Matches the DHCP connection-specific DNS suffix assigned to your network adapter when on the corporate network (e.g. corp.contoso.com). Find it by running ipconfig /all and looking for Connection-specific DNS Suffix under your active adapter. This is the most reliable method for Active Directory environments.
• Subnet / CIDR Range — Checks whether your device IP falls within a specific range (e.g. 10.10.0.0/22). Run ipconfig and look at the IPv4 Address to determine your corporate range. Avoid overly broad ranges like 192.168.0.0/16 that also match home routers.
• Default Gateway IP — Matches the IP of your corporate gateway (e.g. 10.10.0.1). Run ipconfig and look for Default Gateway. Avoid common home router defaults like 192.168.1.1.

If you're deploying via Intune or a silent installer, configure this with the /corpnet installer parameters instead — see the Intune deployment guide.

Password Protection

You can set a local PIN to prevent unauthorized changes to the app's settings. When a PIN is set:

• Changing filters requires the PIN
• Resetting to default settings requires the PIN
• Enabling or disabling hardening features requires the PIN
• Uninstalling the app requires the PIN (or a remote admin code from the CleanBrowsing dashboard)

PINs are stored using PBKDF2-SHA256 with a unique random salt — they are never stored in plaintext. After 5 consecutive incorrect attempts, the dialog locks out for 30 seconds before accepting more entries.

This is useful for parents who want to ensure children can't disable filtering, or for IT administrators deploying the app across multiple machines.

Built-in Update Checker

The app checks for updates automatically and shows the result on the Updates page. If a newer version is available, you can download and install it directly from within the app — no need to visit the website. The update checker shows your current version, the latest available version, and any error details if the check fails.

Before installing any update, the app verifies the MD5 integrity of the downloaded installer against the value published on our servers. If the file doesn't match, the download is discarded and the install is blocked.

MSP and Silent Deployment

IT administrators and MSPs can pre-configure the app at install time using command-line parameters. Pass your settings as installer flags and the app applies them silently on first launch — no manual setup required on each machine.

Available deployment parameters:

• /account= — your CleanBrowsing account token (links the install to your dashboard)
• /pin= — sets a local PIN at install time
• /protect=1 — enables uninstall protection
• /blocknet=1 — enables block network settings
• /harden=1 — enables browser DoH hardening
• /noupdate=1 — disables the in-app update checker
• /corpnet=1 — enables corporate network detection (v1.7.8+)
• /corpnetmethod= — detection method: dns_suffix (default), subnet, or gateway
• /corpnetval= — the value to match (e.g. corp.contoso.com, 10.10.0.0/22, or 10.10.0.1)

Example silent install with all hardening and corporate network detection enabled:

CleanBrowsingClient_1.7.12_x64.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /account=YOUR_TOKEN /pin=1234 /protect=1 /blocknet=1 /harden=1 /noupdate=1 /corpnet=1 /corpnetmethod=dns_suffix /corpnetval=corp.contoso.com

For Intune deployment, see the Windows App Intune Deployment Guide.

Download and Install

The app is a single installer for Windows 10 and 11 (64-bit):

1. Download CleanBrowsingClient v1.7.12
2. Run the installer — it will prompt for administrator permissions
3. If a previous version is installed, the installer will automatically clean up the old installation (reset DNS, remove browser hardening, stop services) before installing the new version
4. Launch the app and click on a filter to enable it

For detailed setup instructions, see our Windows App Setup Guide.

For manual DNS configuration without the app, see Windows DNS Setup or our Setup page.