How to Diagnose a DNS Resolution Issue

Step 1: Confirm DNS Filtering Is the Cause

Before diving into technical debugging, confirm that DNS filtering is actually responsible for the issue:

1. Try loading the same page on your home network (with CleanBrowsing active) — note the issue.
2. Switch to cellular data or a different Wi-Fi network (without CleanBrowsing) — try again.
3. If the content works on the other network but fails with CleanBrowsing enabled, a blocked domain is likely involved.

Why Does This Happen?

Streaming platforms and websites often load content from third-party CDNs, video hosts, or ad networks. The main page loads because the primary domain isn't blocked, but embedded media fails because a secondary domain (the CDN, video host, or analytics provider) is being filtered.

This is especially common with:

• Embedded videos from third-party players
• Streaming services using multiple CDN domains
• Educational sites with content from external providers
• News sites with embedded social media content

Step 2: Use Browser Developer Tools

The browser's built-in developer tools show exactly which domains are being loaded and which are failing.

1. Press F12 (or right-click > Inspect) to open Developer Tools.
2. Click the Network tab.
3. Reload the page and attempt to play the video or load the failing content.
4. Look for entries with red text or error icons.

What to Look For

• "Failed to load resource" — the domain could not be reached
• "ERR_NAME_NOT_RESOLVED" — DNS lookup failed (the domain is blocked)
• "Blocked by client" — could be a browser extension or DNS block
• Status code 0 — request never completed (DNS or connection failure)

Note the domain name in the failed request — this is the domain you may need to whitelist. It may not match the website's main domain.

For a deeper walkthrough, see our Debug with Browser DevTools guide.

Step 3: Check the CleanBrowsing Dashboard

If you have a paid CleanBrowsing account, the dashboard shows exactly which domains are being blocked.

1. Log into your CleanBrowsing dashboard.
2. Navigate to Activity > Blocked Requests.
3. Filter by the time period when the content failed to load.
4. Look for the domain you identified in Step 2 (or nearby domains from the same time window).

The blocked requests log shows the domain, the category it was blocked under, and the timestamp. This confirms whether CleanBrowsing is responsible and which category rule triggered the block.

Step 4: Allow the Domain

Once you've identified the blocked domain, add it to your whitelist:

1. In the CleanBrowsing dashboard, go to Filters > Custom Allow List.
2. Add the blocked domain (e.g., cdn.videohost.com).
3. Click Save.
4. Clear your DNS cache and reload the page.

The content should now load. If it still fails, there may be additional domains being blocked — repeat Steps 2-4 to identify them.

Step 5: Advanced Command-Line Methods

For technical users, command-line tools provide deeper visibility into DNS resolution. See our Command-Line DNS Tools guide for full details.

Test with curl

Use verbose output to see initial connections and redirects:

# macOS / Linux
curl -v https://example.com 2>&1 | head -30

# Windows (PowerShell)
Invoke-WebRequest -Uri "https://example.com" -Verbose

Test DNS Resolution Directly

# Using dig (macOS / Linux)
dig @185.228.168.168 cdn.videohost.com

# Using nslookup (Windows)
nslookup cdn.videohost.com 185.228.168.168

# Using PowerShell
Resolve-DnsName -Name cdn.videohost.com -Server 185.228.168.168

If the domain returns NXDOMAIN or a block page IP when queried through CleanBrowsing but resolves normally through another DNS (like 8.8.8.8), CleanBrowsing is filtering that domain.

Capture Live DNS Queries

Monitor all DNS queries in real time while loading the page:

# macOS / Linux — capture DNS traffic
sudo tcpdump -i any port 53 -l

# With tshark (Wireshark CLI)
sudo tshark -i any -f "port 53" -Y "dns.flags.response == 0"

Load the problematic page while the capture is running. The output shows every domain your browser is trying to resolve, making it easy to spot the failing ones.

Step 6: Can't Reach CleanBrowsing at All

If you can't resolve any domain through CleanBrowsing — not even cleanbrowsing.org — the issue isn't filtering. Your network can't reach our resolvers. This is different from a domain being blocked.

Quick Test

# Windows
nslookup cleanbrowsing.org 185.228.168.168

# macOS / Linux
dig @185.228.168.168 cleanbrowsing.org

If this times out or returns no response, your connection to our DNS servers is being blocked somewhere.

Diagnose with Traceroute

# Windows
tracert 185.228.168.94

# macOS / Linux
traceroute 185.228.168.94

This shows where the connection drops — whether at your firewall, your ISP, or in transit.

Run a DNS Leak Test

Visit /dnsleaktest and share the results link. It captures your public IP, resolver info, and device type — everything we need to check for routing issues on our end.

Common Causes

• Enterprise firewall blocking port 53: Some organizations restrict outbound DNS (UDP/TCP port 53) to approved resolvers only. Ask your IT team to allowlist 185.228.168.168 and 185.228.169.168.
• ISP intercepting DNS: Some ISPs redirect all port 53 traffic to their own resolvers. Try using DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) to bypass this — encrypted DNS uses port 443/853 instead.
• ISP routing issue: In rare cases, your ISP may route traffic to the wrong geographic endpoint, causing timeouts or high latency. The traceroute and leak test help us identify this.
• DNS forwarder misconfiguration: If you're using CleanBrowsing as a forwarder (through Windows Server DNS, a firewall, or Pi-hole), test by setting CB DNS directly on a single device first. If direct works but the forwarder doesn't, the issue is in the forwarder config. See our Firewall & DNS Requirements guide.

If you've confirmed you can't reach our resolvers, email support@cleanbrowsing.org with your traceroute output and leak test results.

Step 7: Common Scenarios

Video Not Playing

Streaming platforms (YouTube, Vimeo, educational video hosts) often load videos from CDN domains that differ from the main site. The Family filter may block mixed-content CDNs. Check for blocked domains ending in common CDN patterns like *.akamaized.net, *.cloudfront.net, or platform-specific video hosts.

Embedded Social Media Not Loading

If embedded tweets, Instagram posts, or Facebook content doesn't appear, the social media domain may be blocked by a category filter. Whitelist the specific embed domain (e.g., platform.twitter.com) rather than the entire social media site.

Page Loads Slowly but Doesn't Fully Break

This often indicates blocked analytics or tracking domains. The page works but waits for timeouts on blocked resources. These usually resolve on their own after the browser times out — no action needed unless it causes significant delays.

Login or Authentication Fails

Some login systems use third-party identity providers (Google, Microsoft, Okta). If the identity provider's domain is blocked, authentication fails. Check for blocked domains related to *.auth0.com, *.okta.com, or login.microsoftonline.com.