How to Block Specific Domains in CleanBrowsing

Step 1: When to Use the Custom Block List

CleanBrowsing's predefined content categories — Social Media, Gaming, Video Streaming, and others — block large groups of domains automatically. The custom block list is for situations those categories don't cover:

• Block a specific site within a permitted category: You allow Social Media broadly but want to block one platform (e.g., TikTok) while leaving others accessible.
• Block an uncategorized domain: A site that hasn't been classified in our database yet. Add it to your block list for immediate effect on your network.
• Block a business or productivity distraction: Sports sites, entertainment, forums, or other content that falls outside predefined categories.
• Block mirror domains: When a site you have already blocked reappears under a different domain name, add the new domain to your block list directly.

Custom Block List vs. Predefined Categories

Do not duplicate a predefined category by manually adding its domains to your block list. If the Social Media category is enabled, adding individual social media domains to the block list is unnecessary and makes troubleshooting harder. Use the custom block list only for domains not covered by any active category.

# Verify whether a domain is already blocked by your active categories
# Windows
nslookup the-domain.com 185.228.168.168

# macOS / Linux
dig +short @185.228.168.168 the-domain.com

If the domain returns NXDOMAIN or a block page IP, a predefined category is already blocking it. If it returns a valid IP, the domain is currently allowed and a custom block list entry will block it.

Step 2: Add Domains via the Dashboard

The CleanBrowsing dashboard is the primary way to manage your custom block list. This requires a paid account.

1. Log into your CleanBrowsing dashboard, or go directly to Settings → Custom Domains.
2. Click on Settings in the left navigation.
3. Select Custom Domains.
4. Under the Custom block domains card, enter the domain you want to block (e.g., tiktok.com).
5. Click Add or Save.

Domain Format

• Exact domain: Enter tiktok.com to block that specific domain and its subdomains.
• Subdomain coverage: Blocking tiktok.com will also block www.tiktok.com and other subdomains under the same root.
• Do not include protocols: Enter example.com, not https://example.com.
• Do not include paths: Enter example.com, not example.com/page. DNS filtering operates at the domain level, not the URL path level.

Profile-Specific Block Lists

If you use multiple profiles (e.g., "Kids" and "Adults"), block lists are profile-specific. A domain blocked in the Kids profile will still be accessible under the Adults profile unless you add it there too. This lets you apply stricter restrictions to one group without affecting another.

Plan Limits

The number of custom block list entries depends on your plan: Basic (500 domains), Pro 50 (1,000 domains), Pro 100 and above (1,500+ domains). If you are approaching your limit, consider whether a predefined category covers the domains you are trying to block — enabling the category is more efficient than listing hundreds of individual domains.

Step 3: Wait for Propagation, Then Flush DNS Cache

Dashboard changes — including custom block list additions — take 30 to 45 minutes to propagate across CleanBrowsing's resolver network. Your device, browser, and OS also cache DNS responses. If a valid (unblocked) response is still cached, the domain will continue to load until the cache expires.

After waiting at least 30 minutes, flush the DNS cache:

# Windows Command Prompt
ipconfig /flushdns

# PowerShell
Clear-DnsClientCache

# macOS
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder

# Linux (systemd-resolved)
sudo systemd-resolve --flush-caches

# Linux (nscd)
sudo systemctl restart nscd

Also Clear Browser DNS Cache

• Chrome: Navigate to chrome://net-internals/#dns and click Clear host cache.
• Firefox: Navigate to about:networking#dns and click Clear DNS Cache.
• Edge: Navigate to edge://net-internals/#dns and click Clear host cache.
• Or simply: Close and reopen the browser.

For detailed instructions, see our Clear DNS Cache in Browser guide.

Step 4: Verify the Block from the Command Line

After adding the domain and flushing your cache, confirm it is now being blocked by CleanBrowsing.

# Windows Command Prompt
nslookup the-blocked-domain.com 185.228.168.168

# PowerShell
Resolve-DnsName -Name the-blocked-domain.com -Server 185.228.168.168

# macOS / Linux
dig +short @185.228.168.168 the-blocked-domain.com

A blocked domain will return NXDOMAIN, no response, or a block page IP — not a valid address. If it still returns a valid IP, the block has not propagated yet or the device is not using CleanBrowsing for DNS.

Verify Multiple Domains at Once

# PowerShell
$domains = @("tiktok.com", "reddit.com", "discord.com")

foreach ($d in $domains) {
    $result = Resolve-DnsName -Name $d -Server 185.228.168.168 -ErrorAction SilentlyContinue
    $status = if ($result.IPAddress) { "[ALLOWED]" } else { "[BLOCKED]" }
    Write-Host "$status $d"
}

# macOS / Linux
for domain in tiktok.com reddit.com discord.com; do
    result=$(dig +short @185.228.168.168 $domain)
    if [ -z "$result" ]; then
        echo "[BLOCKED]  $domain"
    else
        echo "[ALLOWED]  $domain"
    fi
done

Step 5: Block Not Working?

If you added a domain to the block list but it is still loading, work through these common causes:

1. Not Enough Time Has Passed

This is the most common cause. Dashboard changes take 30-45 minutes to propagate. Wait, flush your DNS cache (Step 3), then test again.

2. Wrong Profile

Block lists are profile-specific. Verify the domain is in the correct profile for the device you are testing from.

# Check which profile is active for your IP
nslookup -type=TXT iptest.whois.dnscontest.cleanbrowsing.org 185.228.168.168

3. Browser DNS-over-HTTPS Is Active

If the browser has DoH enabled with another provider, it bypasses your network DNS entirely. Your custom block list has no effect. Check and disable DoH in the browser: see How to Disable DNS-over-HTTPS.

4. The App Uses Its Own DNS

Some mobile apps and desktop clients hard-code DNS servers and bypass network DNS entirely. DNS filtering cannot block domains resolved outside your DNS path. For those, consider firewall-level blocking. See Block DNS Bypasses at the Firewall.

5. Device Not Using CleanBrowsing

Verify the device is routing DNS through CleanBrowsing:

# Windows
ipconfig /all | findstr "DNS Servers"

# macOS
scutil --dns | grep nameserver

If CleanBrowsing IPs are not listed, the device is using a different DNS resolver and the block list has no effect.

Step 6: Common Blocking Scenarios

Block TikTok

tiktok.com
tiktokv.com
muscdn.com

Note: the TikTok iOS app may use hard-coded DNS and bypass network-level blocking on mobile devices. For iPhones and iPads, pair DNS blocking with an Apple DNS profile for better coverage.

Block Reddit

reddit.com
redd.it
redditstatic.com
redditmedia.com

Block Discord

discord.com
discordapp.com
discordapp.net
discord.gg

Block YouTube (without blocking Google)

youtube.com
youtu.be
youtubei.googleapis.com

Note: blocking YouTube at the DNS level will also block YouTube Music, YouTube Kids, and YouTube TV since they share the same domains.

Blocking SafeSearch-Bypassing Bing Domains

If you are using SafeSearch enforcement but want to block Bing entirely instead, add:

bing.com
edgeservices.bing.com

Reporting Uncategorized Domains

If a domain is not in our database and you believe it should be blocked by default for other users, submit it at categorify.org or contact support@cleanbrowsing.org. Adding it to your custom block list gives you immediate coverage on your network while the submission is reviewed.