What is DNS Content Filtering?
A DNS Based Content Filtering service can prevent certain websites from loading on your network. Most services can filter by specific categories like malware, phishing, pornography, etc. Unlike some content filtering which can introduce security risks, DNS filtering does not intercept traffic between you and the website you’re visiting. It doesn’t require installing any software on your computer or device making it one of the safest ways to filter web content.
If you you accidentally typo a popular domain (such as typing .cm instead of .com) it would normally take you to a phishing site. A DNS filtering service would block your computer by returning an NXDOMAIN (domain does not exist) instead of the IP address effectively blocking the website from loading. The same technique can be used to prevent any undesirable category such as malware, pornography, adware, etc. from loading on your network.
The other benefit of using a DNS filtering service is it can force certain search and media services (like Google and YouTube) into safe mode preventing anyone using your network from even seeing adult content in their search results.
Why Should I use One?
It’s not only a wise way to protect yourself from malware and temptation, but also when letting guests on your WiFi network–you don’t have to worry (as much) about what they’re doing, and also a good idea when you start letting kids online. DNS filtering doesn’t take the place of parenting, and anyone with a little technical skill can bypass it, but it may help prevent your family and anyone using your network from accidentally stumbling across bad sites. If it prevents one cryptolocker infection it’s worth it.
I think families, churches, home networks, small businesses, organizations, schools, large enterprises, and governments could benefit from DNS filtering. You may not want to go overboard blocking content about illegal drugs and gambling, but at the very least you probably don’t want malware on your network!
Two DNS Filtering Services
I use two DNS content filtering providers services: OpenDNS and CleanBrowsing. Both have simple instructions to get started so I won’t repeat that here. Both are free, work well, and my decision to use one or the other on a particular network just depends on the situation–although in most cases either would be fine. It’s nice to have multiple options.
OpenDNS has been around since 2006 and was acquired by Cisco in 2014. It offers several free plans and some paid options as well:
- OpenDNS Family Shield (Free). Very simple–just set your router’s DNS servers to 184.108.40.206 and 220.127.116.11 and it’s pre-configured to block malicious and adult content.
- OpenDNS Home (Free). For more advanced control, allows for granular category filtering as seen in the screenshots below. If your ISP has a dynamic IP you will need to use a DDNS client to update OpenDNS with your public IP. Below are some screenshots to show the granularity:
- OpenDNS Home VIP ($20/year) — Very affordable and adds the ability to white-list specific domains if they’re on the block list.
- Cisco Umbrella — For businesses and larger enterprises.
CleanBrowsing is a fairly new service, starting in February of 2017.
It offers three easy free filtering plans and 2 paid plains:
- Security Filter (Free) – Set your router’s DNS to 18.104.22.168 and 22.214.171.124 to only block malicious domains (phishing and malware).
- Adult Filter (Free)– Set DNS to 126.96.36.199 and 188.8.131.52 to block Adult domains, set search engines to safe mode (also includes the security filter).
- Family Filter (Free)– Set DNS to 184.108.40.206 and 220.127.116.11 to block access to VPN domains that could be used to bypass filters, mixed content sites (like Reddit), and sets YouTube to safe mode (includes Adult and Security filters as well).
- Basic Plan ($5/month) allows you to setup custom filtering categories and whitelist and blacklist specific domains.
- Professional ($9/month) targeting small networks (less than 2,000 devices, for more than that you can get a custom quote).
OpenDNS and CleanBrowsing Comparison
OpenDNS has been around the longest, but CleanBrowsing is leading in innovation (note that my comparison is on the free or low priced consumer service, not the enterprise service from each provider):
- Free account allows more control of specific categories
- Blocked domains get redirected to page saying why page is blocked (better end user understanding of what’s going on than an NXDOMAIN for most people)
- Been Around Longer. More mature.
- Security – Supports DNSSEC (prevents forgery of DNS results …some ISPs have been known to hijack DNS results). Also supports DNSCrypt, DNS over HTTPS, and DNS over TLS.
- Blocked domains return an NXDOMAIN (better practice than redirecting for technical/security folks)
- Better Test Results on Adult content filtering: blocked 100% of adult content on a Porn Filter test by Nykolas Z (OpenDNS blocked 89%).
- Much better Test Results Blocking Phishing Sites: CleanBrowsing blocked 100% of phishing sites on 3 out of 4 tests beating out OpenDNS in every area. On the real-time test it allowed 1 out of 12 sites through, however OpenDNS only blocked 2 out of 12 sites.
Both OpenDNS and CleanBrowsing have very fast DNS resolution rates (probably faster than your ISP), with CleanBrowsing resolving slightly faster for me but within milliseconds of each other. I think either service is worth using.
I have made a covenant with my eyes.
How then could I look at a young woman? — Job 31:1 CSB