Blog

CleanBrowsing works at the network level, specifically via the Domain Name System (DNS).

Via DNS, we can intercept outgoing requests and make a determination if it should be accessible based on the rules created in your account.

• Do you allow social media? Should we allow Twitter?
• Do you allow adult / pornographic content? Should we allow pornhub?
• Do you block mixed conent? Should we block reddit?
• …

The power of working at the network level is it makes the service agnostic to any specific platform (e.g., Nintendo, TV, Desktop, Notebook, Linux, Mac, Windows, etc…). If a device connects to the network, it undoubtedly makes use of DNS.

The down-side of the network is we’re limited to the network, and cannot see what is happening at the device level. This will make more sense in a bit.

Public vs Private IP’s

Every network has a public and private IP. The public IP’s are issued by your Internet Service Provider (ISP), while the private IP is issued by the router on your network.

The illustration below shows you what this means:

In the illustration above we share these values for IP’s:

• Public IP: 192.190.254.34
• Public IP: 10.0.0.1, 10.0.0.2, etc…

Yes, every device has a unique IP, but that unique IP is issued by the Dynamic Host Configuration Protocol (DHCP) on your router, while the public IP is issued by the DHCP on the ISP’s router to your router.

The public IP is considered to be part of the Wide Area Network (WAN) while the private IP is part of the Local Area Network (LAN). The LAN is comprised of your desktops, notebooks, laptops, phones, printers, etc. The outside world can’t see them, hopefully, but you can from inside the network.

CleanBrowsing DNS and Public IPs

When using the free filters the toughest part of the job is updating DNS on the device. When you use our paid plans, things change. The platform doesn’t know where to apply the rules; it’s why public IP’s matter.

Every time you create a profile in your CleanBrowsing account you get issued a new set of shared DNS IP’s.

They look something like this:

• Primary DNS: 185.228.168.135
• Secondary DNS: 185.228.169.135

These IP’s are IPv4, and shared. That means other users are leveraging the same IP pair. No, this does not present a security issue. But it presents a problem in which we have to figure where to apply the rules. We do this by binding the DNS pair issued in a profile, to the public IP recorded in the account.

Building this relationship is a critical step. Without it, the system doesn’t know where to apply the rules.

In addition to the IPv4 values, we also issue IPv6 values. Because IPv6 is unique, it doesn’t require a public IP to be recorded. If you have the ability to deploy IPv6, and disable IPv4, we encourage that, but it’s highly unlikely to have a whole network that is only operating off of IPv6. It’s why this articles focuses on IPv4.

Public IP’s Can Be Dynamic

A public IP changing is the number 1 reason a service switches from “active” to “inactive”.

The big challenge with our approach is when public IP’s are updated, which happens. Because of the shortage on IPv4, public IP’s have a tendency to rotate public IP’s frequently. This is especially true on residential services, but can occur with commercial ones as well.

The two leading reasons include:

• The router is rebooted;
• The ISP dynamically does it at some set frequency (e.g., Daily, Annually, monthly);

An ISP can issue a static IP, but that might come with additional costs and has to be requested.

Another approach is to keep your public IP updated via our Dynamic Device links. We have written guides to help you in the process (Generic, Windows, Mac).

Because all devices share the same public IP on the same network, you only need to update the IP from one device and it will affect the entire network.

Alternatively, most routers employ a Dynamic Device option with a third-party (e.g., No-IP, DynDNS). We allow those services to be used in all paid accounts as well.

Public IP’s Don’t Always Matter

Public IP’s don’t always matter, and it really comes down to how CleanBrowsing is deployed on the network. Here are a few instances where the public IP no longer matters:

• The Free filters;
• DNS-over-HTTPS stamps;
• DNS-over-TLS;
• DNSCrypt;
• The iOS app;
• The android Private DNS option;
• The iOS / BigSur mobile config file;

The free filter by design applies rules to anyone that uses it, it’s why it doesn’t matter.

The other options mentioned make use of the latest in DNS encryption (e.g., DOH, DOT) to create unique stamps. These unique configurations allow us to know exactly where to apply specific rules without the public IP value.

What is my Public IP?

If you’re curious what your public IP is simply use our debugconnection.com site. It will look something like this:

---

We hope this article helps, but if you have any further questions please leave them in the comments or send them to us via email at support@cleanbrowsing.org.

Every paid dashboard offers its user the ability to easily tune a network to a desired end state. What CleanBrowsing offers is a foundation to build the desired family friendly network.

CleanBrowsing, like most other networking tunes, may require some tuning. This is especially true when it comes to apps, what one customer finds acceptable is not always what another does. To help with this, we don’t dictate what apps can be allowed, but we do provide the tools to help enforce whatever rules a user finds appropriate.

Example: Allowing and Disallowing Discord

To help illustrate what we mean, let’s look at the Discord app. This is a very popular app used to communicate by a lot of people in the gaming industry, making it extremely popular amongst kids.

For most non-technical consumers, what you see as the face of the product is discord.com. This only scratches the surface of what is really happening every time the app is used on your network.

A CleanBrowsing user might think to whitelist: discord.com but find that they are unable to access, communicate or update the app. The reason is because of the various other forms of communication the app is making.

For instance, in the instance of Discord you would have to either allow, or disallow, the following domains to ensure the app continues to function as desired:

• discord.com
• discord.gg
• discord.media
• discordapp.com
• discordapp.net

The same is true for a number of other apps. Regardless of the app, you have the ability to use the Custom Allow feature in your dashboard to add every domain associated with any app:

The easiest way to find the domains associated with a specific app, or service, is to a) contact the developer of the app or service, or b) perform a basic Google search for “[app name] domains to block on dns”.

Some of the more common apps have already been resolved, and others will require a bit more work. You also have the ability to use the Activity dashboard in your account to isolate outbound requests, or contact us at support@cleanbrowsing.org for some help.

Other known examples include:

• CBS All Access
• Facebook Messenger

One of the more common requests we get from schools is how to restrict access to approved sites only.

In essence, these schools are a) deploying devices to their students and faculty, or b) creating lap environments on their network. In each case, they don’t want to have to worry about sifting through the traffic to understand what is, and is not, being accessed.

Instead, they prefer to leverage a block all and allow few strategy.

This makes complete sense, especially for organizations with limited resources and CleanBrowsing makes it extremely easy.

Block All, Allow Few

To make this work with CleanBrowsing, you will navigate to your account dashboard and navigate to the “Custom Domain” menu option.

Once there, scroll down and you will see “Custom Allowed Domains” and “Default-Block“:

There you will select the Block Everything (All Traffic) option, and add whatever domain[s] you want to allow in the Custom Allowed Domains.

When you do this, it will look something like this:

You’ll notice that by default we add the “my.cleanbrowsing.org” domain, and whatever domain you add will be appended to the top.

Additionally, it gives you an option to disable the block if you choose.

Once this is set, the users on your network will only be able to access my.cleanbrowsing.org and perezbox.com (or whatever domains you add). It’s a very powerful feature that can be used by organizations, and individuals, of all sizes. It might take a bit to get it tuned for your users, but once it’s set it’s one less thing to worry about.

There are two ways to use the CleanBrowsing service, the Free or Paid option. A common question we get is around the difference between the two.

This article provides answers.

Free vs Paid – The Difference

The key difference between the Free and Paid plan is control and visibility.

The free service is fixed, it doesn’t allow you to tune your network to your specific needs. With the Free service, if you don’t like a categorization, you can request it be reviewed, but you are otherwise stuck with how we’ve defined the category. The paid plan allows you to tune the filters to better conform with your beliefs and network needs.

Here is a logical grouping of differentiating features that help paint a more complete picture of the differences.

Category	Free	Paid
Account	None required	Account Required
Filters	3 Available Filters	19 Available Filters
Customizations	No	Yes
Dashboard	No	Yes
Custom Block Pages	No	Yes
Custom Block Domains	No	Yes
Custom Allow Domains	No	Yes
Activity Reporting	No	Yes
Group Users (Profiles)	No	Yes
Data Retention	No	Yes

If you’d like to learn more about the CleanBrowsing dashboard, here is a short demo video to help orient you to what you can expect as a paid customer:

Hope this helps, and if you have any questions please send them to support@cleanbrowsing.org.

If your kids are into gaming like ours, then you are undoubtedly familiar with Nintendo’s Switch gaming device.  Like all the other gaming devices, this system introduces an unfettered gateway to the web. Kids can easily access all forms of content, including YouTube. Some families prefer to disable YouTube on their kids devices, and with CleanBrowsing you can do that via the paid plans.

Note: You can limit what users can do on YouTube with our Family free filter. By default it sets YouTube to moderate. Moderate mode is the less strict mode, but blocks access to videos with possible violence, sexuality or adult content. It also blocks comments. Learn More

Disable Access to YouTube via DNS

The easiest way to block access to YouTube on your kids devices is via DNS. This section assumes you have not already created a unique profile in your account.

First, log into your account, and follow these instructions:

• Navigate to Profiles
• Create a New Profile (e.g., kids)

After creating a profile you’ll see a new entry under Profiles (3), this binds your account to a new set of DNS IP’s. This is what you’re going to use in the Switch.

Specifically referring to this row:

Note: When you first create the profile the IP to the right of the DNS IP’s will be blank. If you want to see the traffic in your profile you need to bind your local IP to that DNS IP range.

To bind the IP to the DNS IP’s, navigate to Your Network in your dashboard.

Once on the Your Network page:

• Set your profile to the one you created (e.g., Kids) (2)
• Enter the IP, we show your by default (3)
• Click Add the IP to the DNS (4)

Now you want to disable YouTube for any users coming from the IP you just created and that are using the DNS IP’s assigned to the Kid profile.

You make this configuration in the Custom Domains section.

Once on the Custom Domains page:

• Set your profile (e.g., Kids) (2)
• Click the dropdown, and select your option (e.g., Blocked)

Now any device that comes from the IP you selected, using the DNS IP for the Kids profile, will have YouTube blocked.

Apply Changes to Nintendo Switch

To apply this to your Nintendo Switch navigate to the Network Settings. You do this by double tapping the System Settings on the home page:

Click on Internet

Click on Internet Settings

Select your Network (SSID)

Select Change Settings

Scroll down, click on DNS Settings, we are going to switch from “automatic” to “manual”

You will have to update the Primary and Secondary DNS. You do this by selecting each individually.

You will switch the 0.0.0.0 entries with the DNS IP’s from the Kid profile in your dashboard. The end result will look something like this:

Don’t forget to hit SAVE

Assuming everything is correct, when you open YouTube on your Switch you’ll be greeted with the following screen:

Bonus Tip: Once you have the profile configured you can add the new DNS IP to any device you want to follow the same rules. Example might be all your Kid devices, including laptops, mobile devices and desktops.

We just released an update to our Mac agent that allows you to quickly configure your local DNS resolver to the CleanBrowsing IPs. It provides the ability to bind your machines IP to your paid account. This is especially important if you want to apply rules that your machines must comply with, even if they are not on your home network.

Accounting for Dynamic IP addresses with Paid Accounts

You want to download the latest installer from here: https://cleanbrowsing.org/download/CleanBrowsing-1.0.1.dmg

Follow the installation prompts, you will be greeted with the following screen:

You can see I have the Free Family Filter enabled on my device. You will also notice a new Custom Filter option. This custom filter options allows you to bind your local IP to the DNS resolver configuration in your CleanBrowsing paid account.

When you click on Activate next to the Custom Filter you’ll be greeted with the following screen.

To enable the feature you have to request a custom code from your account dashboard. Log into your paid account here: http://my.cleanbrowsing.org

There are four steps to make this work, three are in your CleanBrowsing dashboard:

1. Navigate to Settings > Your Network
2. Enter a name for your Device (e.g., johns_macbookpro), click Add Device
3. Copy the url: https://mycleanbrowsing.org/dynip/[code]

Once you have the information, navigate back to your CleanBrowsing app and copy the new link into the input field.

Click Activate, and you should now be activated. It might ask you to allow the application to make changes, it’s ok – click “ok”.

This activation not only sets your local DNS resolver to your home / organization DNS resolver, it also create a local job that checks your IP and binds it to the DNS IP. This means you can now track all your traffic, whether you are on the network or not. This is a critical piece to ensuring that whenever the device is on the web it’s held to the same viewing standards you’ve set for your own network.

An easy way to check is to open your Network Settings and confirm the DNS IP is the same as what you see in your CleanBrowsing dashboard:

Please let us know if there are other features you’d like to see to make your network management easier.

We are excited to release a new agent for Apple Machines. This agent allows you to quickly set our Free profiles on any of your desktop / notebook devices.

You can access the agent here: https://cleanbrowsing.org/download/CleanBrowsing-1.0.0.dmg

Step 1: Download the DMG file

Clicking on the link here will automatically begin the download:

It will be downloaded to your default downloads folder (defined in your browser).

Step 2: Open DMG File

When you double click the DMG file you will see this prompt:

Step 3: Drop the App into your Applications Folder

This ensures that it’s readily available.

Step 4: Open the CleanBrowsing application

Navigate to your “Applications” folder, and double click the CleanBrowsing application

Step 5: Confirm the request to open

Because you are downloading from the web you will be asked to confirm the download. Proceed with “open”

Step 5: Configure Free Filter Profile

Now you choose one of the two available free profiles.

And that’s pretty much it.

In addition to supporting DNSCrypt on all of our free filters, we also support DNSCrypt on the custom filters that you can configure on your CleanBrowsing account.

If you don’t have a CleanBrowsing account, you can use it to gain visibility on your DNS activity and customize the type of filtering you need to have on your network:

To get started with DNSCrypt there, you first have to go to Settings->Network in your dashboard and look for the DNS Encryption subsection:

In there, you will find the SDNS stamp that you can use to connect to our DNSCrypt server via DNSCrypt-proxy, DNSCloak or any other software that supports it.

If you are using dnscrypt-proxy, you can get that SDNS stamp and paste into the static section of your configuration:

[static.’cleanbrowsingcustom']
stamp = ‘sdns://AQMAAAAAAA..…XUjykRQ2xlYW5Ccm93c2luZy5vcmc’

And change the server_names to use it:

server_names = [‘cleanbrowsingcustom’]

Our custom filters support DNSCrypt, DNS over TLS and DNS over HTTPS, so try it out when you have a chance. We offer a more complete guide for Windows and Simple DNSCrypt.