CleanBrowsing DNS with Windows Active Directory

Step 1: Understand the Problem

Configuring CleanBrowsing DNS directly on individual workstations in an Active Directory environment will break AD functionality. When workstations use CleanBrowsing resolvers instead of the AD DNS server, they lose the ability to:

• Resolve internal Active Directory DNS records
• Locate domain controllers
• Apply Group Policy settings
• Maintain domain trust relationships

This can potentially disconnect workstations from the domain entirely. The solution is to configure CleanBrowsing at the AD DNS server level, not on individual machines.

Step 2: The Solution - DNS Forwarding

Instead of configuring CleanBrowsing DNS directly on workstations, you should implement CleanBrowsing as a DNS forwarder on your Active Directory DNS server. This approach:

• Preserves all AD DNS functionality (internal record resolution, domain controller location, Group Policy)
• Routes all external DNS queries through CleanBrowsing for filtering
• Keeps workstations pointed at the AD DNS server as their primary resolver
• Applies CleanBrowsing filtering to the entire network transparently

Your AD DNS server handles internal domain queries locally and forwards all external queries to CleanBrowsing resolvers.

Step 3: Configure DNS Forwarders

Follow these steps to set up CleanBrowsing as a DNS forwarder on your AD DNS server:

1. Open DNS Manager by running dnsmgmt.msc on your AD DNS server.
2. Right-click the server name and select Properties.
3. Navigate to the Forwarders tab.
4. Click Edit and add the CleanBrowsing resolver IP addresses (see Step 4 for filter options).
5. Click OK and apply the changes.

Once configured, all external DNS lookups from your domain-joined workstations will be filtered through CleanBrowsing while internal AD DNS resolution continues to work normally.

Step 4: Choose Your CleanBrowsing Filter

Add the appropriate CleanBrowsing resolver IPs to your DNS forwarder configuration based on the level of filtering you need:

Security Filter

Blocks malware, phishing, and malicious domains:

185.228.168.9
185.228.169.9

Adult Filter

Blocks adult content in addition to security threats:

185.228.168.10
185.228.169.11

Family Filter

The most restrictive filter, blocking adult content, mixed content, and security threats:

185.228.168.168
185.228.169.168

If you have a paid CleanBrowsing account, use your custom resolver IPs from your dashboard for granular category-level control.

Step 5: Additional Safeguards

To ensure consistent DNS filtering across your Active Directory environment, implement these additional safeguards:

• Enforce DHCP settings: Ensure all workstations receive the AD DNS server address via DHCP so they cannot bypass filtering by using a different DNS provider.
• Block external DNS at the firewall: Configure your firewall to block outbound DNS queries (port 53) from all devices except the AD DNS server. This prevents workstations from bypassing the forwarder.
• Audit DNS settings regularly: Periodically verify that the forwarder configuration is correct and that no workstations have manually overridden their DNS settings.

These measures ensure that all DNS traffic from your network passes through CleanBrowsing, maintaining consistent content filtering while preserving full Active Directory functionality.