What is DNS Content Filtering?
A DNS Based Content Filtering service can prevent certain websites from loading on your network. Most services can filter by specific categories like malware, phishing, pornography, etc. Unlike some content filtering that can introduce security risks, DNS filtering does not intercept traffic between you and the website you’re visiting. It doesn’t require installing any software on your computer or device, making it one of the safest ways to filter web content.
If you accidentally typo a popular domain (such as typing “.cm” instead of “.com”) it would normally take you to a phishing site. A DNS filtering service would block your computer by returning NXDOMAIN (domain does not exist) instead of the IP address blocking the website from loading. The same technique can prevent any undesirable categories such as malware, pornography, and adware from loading on your network.
The other benefit of using a DNS filtering service is it can force certain search and media services (like Google and YouTube) into safe mode preventing anyone using your network from even seeing adult content in their search results.
Why Should DNS Filtering?
It’s not only a wise way to protect yourself from malware and temptation but also when letting guests on your WiFi network—you don’t have to worry (as much) about what they’re doing, and also a good idea when you let kids online. DNS filtering doesn’t take the place of parenting, and anyone with a little technical skill can bypass it, but it may help prevent your family and anyone on your network from accidentally stumbling across bad sites. If it prevents one malware infection, it’s worth it.
Families, churches, home labs, small businesses, organizations, schools, large enterprises, and governments should use DNS filtering. You may not want to go overboard blocking research content about illegal drugs and gambling, but at the very least you don’t want malware on your network!
Three DNS Filtering Services
There are three free DNS Content Filtering services I recommend. I use OpenDNS, but I’ll go over all three so you can make an educated choice about what works best for you. All have simple instructions to get started so I won’t repeat that here. All are free, work well, and my decision to use or recommend one or the other depends on the situation—although in most cases any would be better than nothing! It’s nice to have multiple good choices.
OpenDNS has been around since 2006 and was acquired by Cisco in 2014. It offers several free plans, and some paid options as well:
- OpenDNS Family Shield (Free). Very simple—just set your router’s DNS servers to 184.108.40.206 and 220.127.116.11 and it is pre-configured to block malicious and adult content.
- OpenDNS Home (Free). For more advanced control. This is what I use. This requires some skill to set up so if you’re not technical, skip this option. The reason I like this option best is OpenDNS Home allows for granular category filtering as seen in the screenshots below. If your ISP has a dynamic IP, you will need to use a DDNS client to update OpenDNS with your public IP. Below are some screenshots to show the options and categories:
- OpenDNS Home VIP ($20/year) — Very affordable and adds the ability to white-list specific domains if they’re on the block list.
- Cisco Umbrella — For businesses and larger enterprises.
CleanBrowsing is a fairly new service, starting in February 2017.
It offers three easy free filtering plans and 2 paid plains:
- Security Filter (Free) – Set your router’s DNS to 18.104.22.168 and 22.214.171.124 to only block malicious domains (phishing and malware).
- Adult Filter (Free)– Set DNS to 126.96.36.199 and 188.8.131.52 to block Adult domains, set search engines to safe mode (also includes the security filter).
- Family Filter (Free)– Set DNS to 184.108.40.206 and 220.127.116.11 to block access to VPN domains that could bypass filters, mixed content sites (like Reddit), and sets YouTube to safe mode (includes Adult and Security filters as well).
- Basic Plan for Home ($55/year) allows you to set up custom filtering categories and whitelist and b5lacklist specific domains.
- There are several plans ranging from 100 to 2000 devices and you can get a quote if you need more than that.
18.104.22.168 For Families
Cloudflare just launched a new service, 22.214.171.124 for Families on April 1, 2020.
Cloudflare has been providing unfiltered DNS on 126.96.36.199 since 2018. And is undisputedly the fastest DNS service in the world according to DNSPerf.
188.8.131.52 for Families offers two options:
- Block Malware only (Free) — Set DNS to 184.108.40.206 and 220.127.116.11
- Block Adult Content & Malware (Free) — Set DNS to 18.104.22.168 and 22.214.171.124
There are no custom options, not even a paid plan. But what you will get from Cloudflare is an impressive number of data center locations providing low latency anywhere in the world.
OpenDNS, CleanBrowsing, and 126.96.36.199 for Families Comparison
OpenDNS is the most configurable on a free plan. CleanBrowsing is further ahead in supporting security features and is faster at blocking harmful sites. 188.8.131.52 for Families will have the lowest latency and is the newest major competitor in this space.
- The free account has the best control with the ability to block specific categories
- Blocked domains get redirected to a page saying why the page is blocked (this results in the user understanding of what’s going on than an NXDOMAIN for most people)
- Been Around Longer. More mature.
- Security – Supports DNSSEC (prevents forgery of DNS results …some ISPs have hijacked DNS results). It also supports DNSCrypt, DNS over HTTPS, and DNS over TLS.
- Blocked domains return an NXDOMAIN (better practice than redirecting for technical/security folks)
- Better Test Results on Adult content filtering: blocked 100% of adult content on a Porn Filter test by Nykolas Z (OpenDNS blocked 89%).
- Much better Test Results Blocking Phishing Sites: CleanBrowsing blocked 100% of phishing sites on 3 out of 4 tests beating out OpenDNS in every area. On the real-time test it allowed 1 out of 12 sites through, however, OpenDNS only blocked 2 out of 12 sites.
184.108.40.206 For Families
The newest service from Cloudflare is promising. With Cloudflare’s experience, it will be the fastest and having strong privacy guarantees. Cloudflare is security-minded supporting DNS over HTTPS, DNSSEC, and DNS over TLS.
I hope this post has been helpful. OpenDNS, CleanBrowsing, and 220.127.116.11 for Families have quick DNS resolution times (probably faster than your ISP). I use OpenDNS for its configurable categories. Decide which one works best for you and use it.
I have made a covenant with my eyes.
How then could I look at a young woman? — Job 31:1 CSB