Is family DNS filtering enough on its own?

No. DNS filtering is excellent as a baseline — it transparently blocks the worst categories across every device — but it cannot see inside encrypted apps like WhatsApp, Discord, or TikTok. Combine DNS with on-device controls (Screen Time, Family Link), mobile network content lock, and ongoing conversations with your child.

Can my child bypass DNS filtering?

A technically determined child can bypass DNS filtering with a VPN, a custom DoH (DNS-over-HTTPS) configuration in their browser, or by changing the DNS on their own device. The countermeasures are layered: keep admin passwords private, restrict VPN apps via Family Link / Screen Time, and consider blocking DoH endpoints at the router. These are diminishing-returns measures — past a certain point, the conversation matters more than the configuration.

CleanBrowsing, NextDNS, AdGuard, OpenDNS

DNS Filtering for Families — CleanBrowsing, NextDNS, AdGuard, OpenDNS

How to set up family DNS filters on home routers or per device using CleanBrowsing Family, NextDNS, AdGuard DNS and OpenDNS Family Shield.

DNS filtering is a quiet, network-layer parental control that blocks domain lookups for harmful or adult sites before any device even tries to connect. Set on a home router, it covers every device on the network — phones, consoles, smart TVs, IoT gadgets — without installing anything on each device. Set on individual devices, it follows the child wherever they go. CleanBrowsing Family, NextDNS, AdGuard DNS and OpenDNS Family Shield are the four most widely used family DNS services. All have free tiers; NextDNS adds detailed logs and per-device profiles on a low-cost paid plan.

Recommended age: 0+

Main risks

• DNS filters block sites but do not see inside encrypted apps (Discord, WhatsApp, etc) — they are not a complete safeguard
• Devices that use DNS-over-HTTPS (DoH) — Chrome, Firefox, modern iOS — can bypass a router-level DNS unless DoH is also redirected
• VPN apps tunnel around DNS filtering entirely
• A misconfigured DNS can prevent legitimate services from working — test before relying on it

Initial setup steps

Choose your service and tier

For pure simplicity, OpenDNS Family Shield or CleanBrowsing Family Filter are free and require no signup — just two IP addresses. For per-device profiles and logs, set up a free NextDNS account at my.nextdns.io. AdGuard DNS offers similar features.

Apply at router level first

Log in to your router admin (commonly 192.168.1.1 or 192.168.0.1). Find DNS or DHCP settings. Enter the primary and secondary DNS for your chosen provider. Save and reboot the router.

Test that it is working

From a device on the home network, try to visit a known test page — OpenDNS provides internetbadguys.com as a safe test. It should be blocked. CleanBrowsing and AdGuard have similar test URLs.

Set per-device DNS for off-home protection

On a child's iPhone or Android, install the configuration profile from your DNS provider (NextDNS provides one-tap profiles). The filter then follows the device wherever it goes — home Wi-Fi, school Wi-Fi, mobile data.

Parental control settings

Router-level DNS

Location: Router admin > DHCP / DNS settings > Primary and Secondary DNS

Recommended: CleanBrowsing Family (185.228.168.168 / 185.228.169.168) or OpenDNS Family Shield (208.67.222.123 / 208.67.220.123)

Setting DNS at the router applies the filter to every device that uses the router for DNS — phones, consoles, smart TVs, even guests. It is the broadest single setting you can make on your home network.

Per-device DNS

Location: iOS: Settings > Wi-Fi > [network] > Configure DNS | Android: Settings > Network > Private DNS | macOS/Windows: Network adapter settings

Recommended: Configure on a child's phone and laptop so the filter follows the device off home Wi-Fi

iOS supports private DNS profiles from services like NextDNS that work everywhere — home, school Wi-Fi, mobile data. Android 9+ supports Private DNS (DNS-over-TLS) globally.

NextDNS profile

Location: my.nextdns.io

Recommended: Family profile with Threat Intelligence, Safe Search and Parental Controls categories enabled

NextDNS lets you mix-and-match: block categories (adult, gambling, gaming), force SafeSearch on Google/Bing/DuckDuckGo, restrict YouTube to Restricted Mode, and view a log of allowed and blocked requests.

Block DoH bypass

Location: Router/firewall rules — block outbound DNS-over-HTTPS to common providers

Recommended: Optional but recommended on networks with tech-savvy children

Modern browsers default to DoH, which bypasses router DNS. Blocking DoH endpoints forces all DNS through your filter. NextDNS and similar services include guidance on doing this.

Age recommendations

Ages 0-10

DNS filtering provides a strong baseline. Combine with on-device controls — DNS does not see inside apps, so social media risks still need app-level management.

Ages 11-13

DNS plus device controls plus mobile network content lock is the layered approach most safeguarding organisations recommend.

Ages 14-16

DNS continues to filter the obvious worst categories. Tech-aware teenagers may attempt to bypass via VPN; the right response is a conversation about trust and what is and is not appropriate, not a technical arms race.

Related device guides

router family wifi school device

Frequently Asked Questions

Related Resources

Device Guide

Home Router Guide

Device Guide

Family Wi-Fi Mesh Guide

Explore more

By Age Safety Topics App Guides Downloads Training Emergency Help