CleanBrowsing Windows Desktop App

What the App Does

The CleanBrowsing Desktop App automatically configures DNS filtering on all your network interfaces. Instead of manually changing DNS settings through the command prompt or Windows Settings, the app handles everything with a single click.

When you enable a filter, the app:

• Sets your DNS servers to CleanBrowsing's filtered resolvers
• Installs a local DNS proxy (DNSCrypt) for encrypted DNS queries
• Monitors your network for changes and re-applies settings automatically
• Detects DNS tampering — if anyone changes your DNS settings (e.g., through Windows Settings), the app detects it within seconds and re-applies the correct configuration
• Detects captive portals (hotel/airport Wi-Fi) and pauses filtering until you authenticate

The app runs on Windows 10 and Windows 11 (64-bit).

Three Built-in Filter Levels

The app comes with three pre-configured filter levels. Each one maps to a different CleanBrowsing DNS resolver:

• Family Filter — Blocks adult content, mixed content, malware, and phishing domains. Best for families with children.
• Adult Filter — Blocks adult content and malware. Allows mixed-content sites like Reddit and social media.
• Custom Filter — Uses your CleanBrowsing dashboard settings. Requires a paid plan. Lets you create your own allow/block lists and custom policies.

Enable any filter with a single click on the home screen. The app shows a green status indicator when filtering is active and red when it's not.

Paying customers can configure their custom filter through the CleanBrowsing Dashboard.

Browser and System Hardening

The Harden page provides three security features that prevent users from bypassing DNS filtering:

• Application Uninstall Protection — Prevents the app from being removed through Windows Add/Remove Programs (Control Panel) and the Windows 11 Settings → Apps page. Requires your PIN to disable.
• Block Network Settings — Blocks access to DNS and network configuration in both the legacy Control Panel (Network and Sharing Center, Internet Options) and the modern Windows 10/11 Settings app (Network & Internet pages including Ethernet, Wi-Fi, Status, and Proxy). This prevents users from manually changing DNS servers to bypass filtering. Even if settings are accessed through another method, the app detects DNS tampering within seconds and automatically re-applies the correct DNS configuration.
• Browser Secure DNS Hardening — Disables DNS-over-HTTPS (DoH) in Chrome, Edge, Brave, and Firefox. This prevents browsers from bypassing your configured DNS filtering with their own encrypted DNS resolvers.

Each feature can be toggled on or off independently. Disabling a hardening feature requires your local PIN.

Connectivity and Graceful Failure

The app monitors internet connectivity continuously and handles connection problems without disrupting your ability to browse. When a connectivity issue is detected — whether a captive portal, a temporary outage, or an ISP-level DNS problem — the app pauses filtering rather than blocking all traffic.

Captive Portals

When you connect to a network that requires a login page (hotels, airports, coffee shops), the app automatically detects the captive portal and temporarily pauses DNS filtering so you can authenticate. Once the login is complete and internet connectivity is confirmed, the app automatically re-enables filtering. No manual action required.

Graceful Failure and Auto-Recovery

If the app can't reach CleanBrowsing's resolvers for any reason, it defaults back to allowing normal connectivity rather than leaving you unable to browse. The behavior depends on whether a PIN is set:

• No PIN set — The app pauses filtering and shows a connection dialog. When connectivity is restored, it automatically resumes filtering.
• PIN set — The connection dialog gives two options: wait for auto-resume (the default), or choose "Keep Disabled" which requires entering the PIN. This prevents a connectivity blip from being used as a way to permanently disable filtering without authorization.

In both cases, filtering resumes automatically as soon as a stable connection is detected. The app uses a debounce mechanism (three consecutive failed checks) before pausing, so brief interruptions don't trigger unnecessary pauses.

Password Protection

You can set a local PIN to prevent unauthorized changes to the app's settings. When a PIN is set:

• Changing filters requires the PIN
• Resetting to default settings requires the PIN
• Enabling or disabling hardening features requires the PIN
• Uninstalling the app requires the PIN (or a remote admin code from the CleanBrowsing dashboard)

This is useful for parents who want to ensure children can't disable filtering, or for IT administrators deploying the app across multiple machines.

Built-in Update Checker

The app checks for updates automatically and shows the result on the Updates page. If a newer version is available, you can download and install it directly from within the app — no need to visit the website. The update checker shows your current version, the latest available version, and any error details if the check fails.

MSP and Silent Deployment

IT administrators and MSPs can pre-configure the app at install time using command-line parameters. Pass your settings as installer flags and the app applies them silently on first launch — no manual setup required on each machine.

Available deployment parameters:

• /account= — your CleanBrowsing account token (links the install to your dashboard)
• /pin= — sets a local PIN at install time
• /protect=1 — enables uninstall protection
• /blocknet=1 — enables block network settings
• /harden=1 — enables browser DoH hardening
• /noupdate=1 — disables the in-app update checker

Example silent install with all hardening enabled:

CleanBrowsingClient_1.7.6_x64.exe /account=YOUR_TOKEN /pin=1234 /protect=1 /blocknet=1 /harden=1 /S

For Intune deployment, see the Windows App Intune Deployment Guide.

Download and Install

The app is a single installer for Windows 10 and 11 (64-bit):

1. Download CleanBrowsingClient v1.7.6
2. Run the installer — it will prompt for administrator permissions
3. If a previous version is installed, the installer will automatically clean up the old installation (reset DNS, remove browser hardening, stop services) before installing the new version
4. Launch the app and click on a filter to enable it

For detailed setup instructions, see our Windows App Setup Guide.

For manual DNS configuration without the app, see Windows DNS Setup or our Setup page.