Firewall & DNS Requirements

Step 1: Required IPs & Ports

CleanBrowsing uses the following IP addresses and ports. Your firewall must allow outbound traffic to these destinations.

DNS Resolver IPs

Paid accounts use the same IPs as the Family Filter but are identified by your registered public IP address or DoH URL.

Required Ports

Minimum requirement: UDP port 53 outbound to the CleanBrowsing IPs above. If your network supports encrypted DNS, ports 853 (DoT) or 443 (DoH) provide additional security.

Step 2: Verify Connectivity

Before making firewall changes, test whether your network can currently reach CleanBrowsing resolvers.

Basic DNS Test

# Windows
nslookup cleanbrowsing.org 185.228.168.168

# macOS / Linux
dig @185.228.168.168 cleanbrowsing.org

If this returns a valid IP address, your network can reach CleanBrowsing — no firewall changes needed.

If this times out or returns no response, something is blocking the connection.

Traceroute

# Windows
tracert 185.228.168.168

# macOS / Linux
traceroute 185.228.168.168

The traceroute shows where packets stop. Look for:

• Stops at your firewall/router IP: Your local firewall is blocking outbound DNS
• Stops at your ISP: Your ISP may be intercepting or blocking third-party DNS
• Reaches destination but DNS still fails: Port 53 may be blocked even though ICMP (ping/traceroute) works

DNS Leak Test

Run our DNS Leak Test and share the results link with support. It captures your public IP, resolver information, and device type in one step.

Step 3: Firewall Blocking Outbound DNS

Enterprise firewalls often restrict outbound DNS (port 53) to approved servers only. This is a security best practice but requires adding CleanBrowsing IPs to the allow list.

What to Allow

Create firewall rules that permit outbound traffic to:

• Destination IPs: 185.228.168.0/24 and 185.228.169.0/24 (covers all CleanBrowsing resolvers)
• Destination Ports: UDP 53, TCP 53 (minimum). Add TCP 853 and TCP 443 if using encrypted DNS.
• Direction: Outbound (from your network to CleanBrowsing)

Common Firewall Platforms

The exact steps vary by firewall vendor, but the concept is the same: add the CleanBrowsing IP ranges to your outbound DNS allow list.

• pfSense / OPNsense: Firewall > Rules > LAN > Add rule allowing UDP/TCP 53 to 185.228.168.0/24 and 185.228.169.0/24
• Fortinet FortiGate: Policy & Objects > Firewall Policy > Add address object for CB IPs, create outbound allow rule on port 53
• SonicWall: Network > Address Objects > add CB IPs. Firewall > Access Rules > allow LAN to WAN on DNS service
• Meraki MX: Security & SD-WAN > Firewall > Layer 3 outbound rules > allow to CB IPs on port 53

Step 4: ISP DNS Interception

Some ISPs transparently intercept all DNS traffic on port 53 and redirect it to their own resolvers, regardless of what DNS server you configure. This is called DNS hijacking or transparent DNS proxying.

How to Detect ISP Interception

# Query CleanBrowsing's debug record
# Windows
nslookup -type=TXT debug.test.cleanbrowsing.org 185.228.168.168

# macOS / Linux
dig TXT debug.test.cleanbrowsing.org @185.228.168.168

If the response does not mention CleanBrowsing (or returns your ISP's information), your DNS traffic is being intercepted.

Solutions

• Use DNS-over-HTTPS (DoH): DoH sends DNS queries over HTTPS (port 443), which ISPs cannot distinguish from normal web traffic. See Step 6 below.
• Use DNS-over-TLS (DoT): DoT uses port 853. Some ISPs don't intercept this port. Configure with hostname family-filter-dns.cleanbrowsing.org (or the equivalent for your filter level).
• Contact your ISP: Ask if they offer an option to disable transparent DNS proxying. Some ISPs provide this as an account setting.
• Use a VPN: A VPN tunnels all traffic (including DNS) through an encrypted connection, bypassing ISP interception entirely.

Step 5: DNS Forwarder Configuration

If you're using CleanBrowsing as an upstream forwarder (through Windows Server DNS, a firewall, Pi-hole, or another DNS appliance), additional considerations apply.

Isolate the Forwarder

First, determine whether the issue is with CleanBrowsing or with your forwarder:

1. Set CleanBrowsing DNS directly on a single workstation (bypass the forwarder)
2. Test DNS resolution from that workstation
3. If direct DNS works but the forwarder doesn't, the issue is in your forwarder configuration

Common Forwarder Issues

• DNS IP typo: Double-check the IPs. A common mistake is 185.168 instead of 185.228
• Forwarder timeout too short: If the forwarder's upstream timeout is set below 3 seconds, occasional slow responses may cause failures. Set the timeout to at least 5 seconds.
• DNSSEC validation conflict: If your forwarder performs DNSSEC validation and CleanBrowsing's filtered responses don't match the original DNSSEC signatures, queries may fail. Configure the forwarder to trust CleanBrowsing as an upstream resolver without re-validating.
• Source IP not registered: For paid accounts, CleanBrowsing identifies your account by public IP. If the forwarder sends DNS queries from a different public IP than what's registered in your dashboard, the queries won't match your account.

Windows Server DNS Role

If you're using the Windows Server DNS role as a forwarder:

1. Open DNS Manager > right-click your server > Properties > Forwarders tab
2. Add 185.228.168.168 and 185.228.169.168
3. Set the forwarder timeout to at least 5 seconds
4. Ensure "Use root hints if no forwarders are available" is checked as a fallback

Step 6: Encrypted DNS (DoH / DoT)

If port 53 is blocked by your ISP or firewall and you can't change the firewall rules, encrypted DNS provides an alternative path.

DNS-over-HTTPS (DoH)

DoH sends DNS queries over HTTPS (port 443). Since this is the same port used for all web traffic, it's almost never blocked by firewalls or ISPs.

For paid accounts, your custom DoH URL is available in your dashboard.

To configure DoH on Apple devices, use our Apple DNS Configurator to generate a .mobileconfig profile.

DNS-over-TLS (DoT)

DoT uses port 853. It's supported natively on Android 9+ (Private DNS) and many routers.