OpenDNS and CleanBrowsing | DNS Content Filtering


What is DNS Content Filtering?

A DNS Based Content Filtering service can prevent certain websites from loading on your network.  Most services can filter by specific categories like malware, phishing, pornography, etc.  Unlike some content filtering which can introduce security risks, DNS filtering does not intercept traffic between you and the website you’re visiting.  It doesn’t require installing any software on your computer or device making it one of the safest ways to filter web content.

Using ClearBrowsing's DNS Service a typoed domains returns a code showing the domain does not exist
Google’s DNS server returns the IP address of the phishing site, while CleanBrowsing returns NXDOMAIN

If you you accidentally typo a popular domain (such as typing .cm instead of .com) it would normally take you to a phishing site.  A DNS filtering service would block your computer by returning an NXDOMAIN (domain does not exist) instead of the IP address effectively blocking the website from loading.  The same technique can be used to prevent any undesirable category such as malware, pornography, adware, etc. from loading on your network.

The other benefit of using a DNS filtering service is it can force certain search and media services (like Google and YouTube) into safe mode preventing anyone using your network from even seeing adult content in their search results.

Why Should I use One?

It’s not only a wise way to protect yourself from malware and temptation, but also when letting guests on your WiFi network–you don’t have to worry (as much) about what they’re doing, and also a good idea when you start letting kids online.  DNS filtering doesn’t take the place of parenting, and anyone with a little technical skill can bypass it, but it may help prevent your family and anyone using your network from accidentally stumbling across bad sites.  If it prevents one cryptolocker infection it’s worth it.

I think families, churches, home networks, small businesses, organizations, schools, large enterprises, and governments could benefit from DNS filtering.   You may not want to go overboard blocking content about illegal drugs and gambling, but at the very least you probably don’t want malware on your network!

Two DNS Filtering Services

I use two DNS content filtering providers services:  OpenDNS and CleanBrowsing.  Both have simple instructions to get started so I won’t repeat that here.  Both are free, work well, and my decision to use one or the other on a particular network just depends on the situation–although in most cases either would be fine.  It’s nice to have multiple options.


OpenDNS Logo

OpenDNS has been around since 2006 and was acquired by Cisco in 2014.  It offers several free plans and some paid options as well:

  • OpenDNS Family Shield (Free).  Very simple–just set your router’s DNS servers to and and it’s pre-configured to block malicious and adult content.
  • OpenDNS Home (Free).  For more advanced control, allows for granular category filtering as seen in the screenshots below.  If your ISP has a dynamic IP you will need to use a DDNS client to update OpenDNS with your public IP.  Below are some screenshots to show the granularity:

OpenDNS Filtering Categories

OpenDNS Filtering Security Categories

  • OpenDNS Home VIP ($20/year) — Very affordable and adds the ability to white-list specific domains if they’re on the block list.
  • Cisco Umbrella — For businesses and larger enterprises.


CleanBrowsing Logo

CleanBrowsing is a fairly new service, starting in February of 2017.

It offers three easy free filtering plans and 2 paid plains:

  • Security Filter (Free) – Set your router’s DNS to and to only block malicious domains (phishing and malware).
  • Adult Filter (Free)– Set DNS to and to block Adult domains, set search engines to safe mode (also includes the security filter).
  • Family Filter (Free)– Set DNS to and to block access to VPN domains that could be used to bypass filters, mixed content sites (like Reddit), and sets YouTube to safe mode (includes Adult and Security filters as well).
  • Basic Plan ($5/month) allows you to setup custom filtering categories and whitelist and blacklist specific domains.
  • Professional ($9/month) targeting small networks (less than 2,000 devices, for more than that you can get a custom quote).

CleanBrowsing DNS Filtering Map

OpenDNS and CleanBrowsing Comparison

OpenDNS has been around the longest, but CleanBrowsing is leading in innovation (note that my comparison is on the free or low priced consumer service, not the enterprise service from each provider):

OpenDNS advantages

  • Free account allows more control of specific categories
  • Blocked domains get redirected to page saying why page is blocked (better end user understanding of what’s going on than an NXDOMAIN for most people)
  • Been Around Longer.  More mature.

CleanBrowsing advantages

  • Security – Supports DNSSEC (prevents forgery of DNS results …some ISPs have been known to hijack DNS results).  Also supports DNSCrypt, DNS over HTTPS, and DNS over TLS.
  • Blocked domains return an NXDOMAIN (better practice than redirecting for technical/security folks)
  • Privacy Policy: CleanBrowsing States it does not log requests
  • Better Test Results on Adult content filtering: blocked 100% of adult content on a Porn Filter test by Nykolas Z (OpenDNS blocked 89%).
  • Much better Test Results Blocking Phishing Sites: CleanBrowsing blocked 100% of phishing sites on 3 out of 4 tests beating out OpenDNS in every area.  On the real-time test it allowed 1 out of 12 sites through, however OpenDNS only blocked 2 out of 12 sites.

Both OpenDNS and CleanBrowsing have very fast DNS resolution rates (probably faster than your ISP), with CleanBrowsing resolving slightly faster for me but within milliseconds of each other.  I think either service is worth using.

I have made a covenant with my eyes.
How then could I look at a young woman? — Job 31:1 CSB


13 thoughts on “OpenDNS and CleanBrowsing | DNS Content Filtering”

  1. There really isn’t any such thing as “DNS Content Filtering”. When using DNS specifically to decide which sites are accessible and which are not, you are performing DOMAIN filtering. While certain domains do typically correlate to certain kinds of content, that is not necessarily the case.

    In today’s world of virtual hosting where multiple web sites (multiple domains) can land you on the same exact box with access to the same exact back-end content, using DNS to filter out domains isn’t anywhere near enough.

    Additionally, DNS has no concept at all of the actual content, including whether or not there is something potentially malicious that has become inserted into otherwise safe content. In order to properly, FULLY protect yourself, you need a true content filtering product. Period.

    1. Thanks Mark. That’s a really good distinction to make. Agreed, the content filtering isn’t going to be real-time. It also can’t be precise for mixed content sites (we either have to block them or allow them unless they provide alternative IPs for safe content). And like you said it does rely on trusting domains to not get hacked and host the same kind of content they historically host. The way I look at it is DNS filtering is a low effort low cost way to add a layer of protection with huge benefits. We can always add more layers of filtering. It’s also low risk. We don’t have to implicitly trust a DNS provider because if they returned wrong IPs we should notice DNSSEC validation failures not to mention SSL certs failing as well.

      Correct me if I’m wrong, but my concern with content filtering systems that examine content over the wire in real-time is that I can’t think of a way to do that for https other than SSL inspection–which means we have to implicitly trust (e.g. trust with our passwords, etc.) it with all information we send and receive. Not only do you have to trust the integrity of vendors and admins of the system but you have to trust them to be competent and vigilant enough for it not to get compromised. There are valid use cases for content-filtering, but for people who don’t have a robust security team I think it introduces more potential for risk than for benefit.

  2. While you’re right that a content filtering system would be able to see EVERYTHING you send, including passwords, that doesn’t mean that you have to filter those sort of sites.

    Just like with DNS filtering you are able to implicitly trust certain domains / sites, you can configure inspection policies for content in a similar manner. Whitelist your banking site and the content filter will ignore that site and not try to filter content – essentially the exact same thing you get with DNS filtering only.

    If you are relying on a machine that is out of your control to do the filtering (you set yourself up to use an external, third-party, proxy-based solution), then you may have some significant cause for concern. If the software runs entirely locally on your machine, that concern is reduced so long as the software comes from a reputable company that has no potential to “phone home” after capturing your credentials. And, those systems run in memory without committing inspected content to disk. So, another rogue program on your machine wouldn’t have a way to snoop that information either.

  3. Nice article Benjamin. CleanBrowsing while not specifically mentioned on their website, offers DNS servers that will return a block page for those that prefer that method. For example the adult name servers with the block page are: &

  4. Thanks Joseph. I confirmed that those addresses do redirect to a block page. It’s interesting that these aren’t mentioned on their website (or anywhere else that I could find). The 2nd one surprised me because it’s listed as the “normal” secondary DNS for the adult filter:

  5. Guys, could I ask if it is possible that using Clean Browsing could lead to the hacking of information or accessing of my ISP services? Is it secure, routing all of your information through their servers?

  6. It’s not.

    That would be equivalent to transcripts of your phone calls being sent through the phone book (DNS is the “phone book” of the Internet).

  7. Hi Mark,

    I’m curious to understand further about your comments on domain and content filtering. If the recommendation is to couple domain and content filtering, what are the options for homes and small business?

  8. Content filtering for the home user is “hard” because it typically requires either a reasonable amount of technical know-how, money, or both. I used to use a blocklist tool that plugged into Squid (called SquidGuard). It required policy routing and/or iptables configurations on the box that held the squid proxy or you had to forcibly configure your web browsers to use it as a proxy. With so much moving to encrypted connection, and limitations on the SSLBUMP option, I ultimately opted to back away from that setup and just learn to be smarter about where anyone browsed along with good anti-malware software.

    For small business, it’s less about the technical know-how and more about how much of a ransom you’re willing to pay to your Internet provider every month to add this sort of thing on. It isn’t until you get to the medium-sized business and above where your options actually get useful (meaning you have enough technical staff AND enough money in your budget to do something meaningful that works).

  9. Hi thanks for this article.

    I am the developer of DNS For Family: and it’s motive is just to block porn websites and advertisements (as some ads leads to porns). Database is updated daily at fixed time.

    Secondly, unlike other services you listed. DNSforFamily there is no profit motive and it is designed completely for humanitarian approach.

    By any chance you could enter this service in your article so that readers can know about DNSforFamily also.

    Thanks Again.

Leave a Reply