OpenDNS, CleanBrowsing, and 1.1.1.1 for Families | DNS Content Filtering

Updated

What is DNS Content Filtering?

A DNS Based Content Filtering service can prevent certain websites from loading on your network.  Most services can filter by specific categories like malware, phishing, pornography, etc.  Unlike some content filtering that can introduce security risks, DNS filtering does not intercept traffic between you and the website you’re visiting.  It doesn’t require installing any software on your computer or device, making it one of the safest ways to filter web content.

Using ClearBrowsing's DNS Service a typoed domains returns a code showing the domain does not exist
Google’s DNS server returns the IP address of the phishing site, while CleanBrowsing returns NXDOMAIN

If you accidentally typo a popular domain (such as typing “.cm” instead of “.com”) it would normally take you to a phishing site.  A DNS filtering service would block your computer by returning NXDOMAIN (domain does not exist) instead of the IP address blocking the website from loading.  The same technique can prevent any undesirable categories such as malware, pornography, and adware from loading on your network.

The other benefit of using a DNS filtering service is it can force certain search and media services (like Google and YouTube) into safe mode preventing anyone using your network from even seeing adult content in their search results.

Why Should DNS Filtering?

It’s not only a wise way to protect yourself from malware and temptation but also when letting guests on your WiFi network—you don’t have to worry (as much) about what they’re doing, and also a good idea when you let kids online.  DNS filtering doesn’t take the place of parenting, and anyone with a little technical skill can bypass it, but it may help prevent your family and anyone on your network from accidentally stumbling across bad sites.  If it prevents one malware infection, it’s worth it.

Families, churches, home labs, small businesses, organizations, schools, large enterprises, and governments should use DNS filtering.   You may not want to go overboard blocking research content about illegal drugs and gambling, but at the very least you don’t want malware on your network!

Three DNS Filtering Services

There are three free DNS Content Filtering services I recommend. I use OpenDNS, but I’ll go over all three so you can make an educated choice about what works best for you. All have simple instructions to get started so I won’t repeat that here.  All are free, work well, and my decision to use or recommend one or the other depends on the situation—although in most cases any would be better than nothing!  It’s nice to have multiple good choices.

OpenDNS

OpenDNS Logo

OpenDNS has been around since 2006 and was acquired by Cisco in 2014.  It offers several free plans, and some paid options as well:

  • OpenDNS Family Shield (Free).  Very simple—just set your router’s DNS servers to 208.67.222.123 and 208.67.220.123 and it is pre-configured to block malicious and adult content.
  • OpenDNS Home (Free).  For more advanced control. This is what I use. This requires some skill to set up so if you’re not technical, skip this option. The reason I like this option best is OpenDNS Home allows for granular category filtering as seen in the screenshots below.  If your ISP has a dynamic IP, you will need to use a DDNS client to update OpenDNS with your public IP.  Below are some screenshots to show the options and categories:
OpenDNS Filtering Categories
OpenDNS Filtering Security Categories
  • OpenDNS Home VIP ($20/year) — Very affordable and adds the ability to white-list specific domains if they’re on the block list.
  • Cisco Umbrella — For businesses and larger enterprises.

CleanBrowsing

CleanBrowsing Logo

CleanBrowsing is a fairly new service, starting in February 2017.

It offers three easy free filtering plans and 2 paid plains:

  • Security Filter (Free) – Set your router’s DNS to 185.228.168.9 and 185.228.169.9 to only block malicious domains (phishing and malware).
  • Adult Filter (Free)– Set DNS to 185.228.168.10 and 185.228.169.11 to block Adult domains, set search engines to safe mode (also includes the security filter).
  • Family Filter (Free)– Set DNS to 185.228.168.168 and 185.228.169.168 to block access to VPN domains that could bypass filters, mixed content sites (like Reddit), and sets YouTube to safe mode (includes Adult and Security filters as well).
  • Basic Plan for Home ($55/year) allows you to set up custom filtering categories and whitelist and b5lacklist specific domains.
  • There are several plans ranging from 100 to 2000 devices and you can get a quote if you need more than that.
CleanBrowsing DNS Filtering Map

1.1.1.1 For Families

Cloudflare just launched a new service, 1.1.1.1 for Families on April 1, 2020.

Cloudflare has been providing unfiltered DNS on 1.1.1.1 since 2018. And is undisputedly the fastest DNS service in the world according to DNSPerf.

1.1.1.1 for Families offers two options:

  • Block Malware only (Free) — Set DNS to 1.1.1.2 and 1.0.0.2
  • Block Adult Content & Malware (Free) — Set DNS to 1.1.1.3 and 1.0.0.3

There are no custom options, not even a paid plan. But what you will get from Cloudflare is an impressive number of data center locations providing low latency anywhere in the world.

OpenDNS, CleanBrowsing, and 1.1.1.1 for Families Comparison

OpenDNS is the most configurable on a free plan. CleanBrowsing is further ahead in supporting security features and is faster at blocking harmful sites. 1.1.1.1 for Families will have the lowest latency and is the newest major competitor in this space.

OpenDNS advantages

  • The free account has the best control with the ability to block specific categories
  • Blocked domains get redirected to a page saying why the page is blocked (this results in the user understanding of what’s going on than an NXDOMAIN for most people)
  • Been Around Longer.  More mature.

CleanBrowsing advantages

  • Security – Supports DNSSEC (prevents forgery of DNS results …some ISPs have hijacked DNS results).  It also supports DNSCrypt, DNS over HTTPS, and DNS over TLS.
  • Blocked domains return an NXDOMAIN (better practice than redirecting for technical/security folks)
  • Privacy Policy: CleanBrowsing States it does not log requests
  • Better Test Results on Adult content filtering: blocked 100% of adult content on a Porn Filter test by Nykolas Z (OpenDNS blocked 89%).
  • Much better Test Results Blocking Phishing Sites: CleanBrowsing blocked 100% of phishing sites on 3 out of 4 tests beating out OpenDNS in every area.  On the real-time test it allowed 1 out of 12 sites through, however, OpenDNS only blocked 2 out of 12 sites.

1.1.1.1 For Families

The newest service from Cloudflare is promising. With Cloudflare’s experience, it will be the fastest and having strong privacy guarantees. Cloudflare is security-minded supporting DNS over HTTPS, DNSSEC, and DNS over TLS.

Helpful?

I hope this post has been helpful. OpenDNS, CleanBrowsing, and 1.1.1.1 for Families have quick DNS resolution times (probably faster than your ISP). I use OpenDNS for its configurable categories. Decide which one works best for you and use it.

I have made a covenant with my eyes.
How then could I look at a young woman? — Job 31:1 CSB