Block DNS Bypasses with Router Firewall Rules

Users on your network can bypass DNS filtering by changing their device's DNS settings. This guide shows how to use router firewall rules to force all DNS traffic through CleanBrowsing.

Step 1: Why You Need Firewall Rules

DNS filtering works by intercepting domain lookups at the DNS resolver level. However, any user or application can change the DNS settings on their device to use a different resolver (like Google's 8.8.8.8 or Cloudflare's 1.1.1.1), completely bypassing your filtering.

Router firewall rules solve this by only allowing DNS traffic to your approved CleanBrowsing resolvers and blocking all other DNS traffic on port 53.

Step 2: Access Your Router Firewall

Log into your router or firewall appliance's admin panel. The firewall settings location varies by device:

  • Ubiquiti UniFi / DreamPro: Settings > Security > Firewall Rules
  • pfSense: Firewall > Rules
  • OpenWRT: Network > Firewall > Traffic Rules
  • ASUS: Advanced Settings > Firewall

You need to create two outbound rules — one to allow CleanBrowsing DNS, and one to block everything else on port 53.

Step 3: Create Rule 1 — Allow CleanBrowsing DNS

Create an Allow rule with the following settings:

  • Action: Allow
  • Protocol: TCP/UDP
  • Source: Your LAN / Default Network
  • Destination: CleanBrowsing DNS IPs
  • Port: 53

CleanBrowsing DNS IP addresses:

FilterPrimarySecondary
Security185.228.168.9185.228.169.9
Adult185.228.168.10185.228.169.11
Family185.228.168.168185.228.169.168
Important: This rule must be placed above the block rule in the firewall rule order.

Step 4: Create Rule 2 — Block All Other DNS

Create a Block rule with the following settings:

  • Action: Block / Reject
  • Protocol: TCP/UDP
  • Source: Your LAN / Default Network
  • Destination: Any
  • Port: 53

This catches any DNS traffic that didn't match Rule 1 (i.e., traffic to unauthorized DNS resolvers) and blocks it.

Step 5: Common DNS Resolvers to Block

For reference, here are popular public DNS resolvers that users may try to switch to:

ProviderPrimary IPSecondary IP
Google DNS8.8.8.88.8.4.4
Cloudflare1.1.1.11.0.0.1
OpenDNS208.67.222.222208.67.220.220
Quad99.9.9.9149.112.112.112
Comodo8.26.56.268.20.247.20

The block-all rule on port 53 (Step 4) handles all of these automatically — you don't need to block each one individually.

Step 6: Verify the Rules Work

Test from a device on your network:

  1. Manually set the device's DNS to 8.8.8.8 (Google DNS).
  2. Try to browse the web — it should fail or be very slow.
  3. Change DNS back to CleanBrowsing or Automatic — browsing should work normally.

You can also verify using the command line:

nslookup google.com 8.8.8.8

This should time out if the firewall rules are working correctly.

Tip: For comprehensive bypass prevention including DoH and VPN, see our guide on preventing filter bypass.

Related Guides

Prevent Filter Bypass

Comprehensive guide to stopping DNS, DoH, and VPN bypass techniques.

Lock DNS Settings

Prevent users from changing DNS settings on their devices.

Generic Router Guide

Universal guide for configuring DNS on most routers.

Need Help?

Check our support hub or contact support.

Support Hub