The DNS Communication Hierarchy

CleanBrowsing is a DNS resolver that offers a content filtering service, it is why we say we are a DNS-based content filtering platform. But how exactly does that effect you, the user, when change your DNS?

This article aims to focus on the communication hierarchy that exists, and that you should be aware of, when configuring the the CleanBrowsing service. It will also demonstrate how new technologies in the space are changing how you should be thinking about your content filtering strategy.

Router < Devices < Applications

Once upon a time, the only communication hierarchy we had to worry about was the relationship between a device and the router. In 2022, that is changing and we have to start accounting for the new relationship that applications are introducing the equation.

In the early days, DNS was a network / system level control. Routers controlled the network, and devices could control themselves. That is changing, and this is the new relationship:

Priority Type Example
1 Application This can be browsers, or mobile apps. Browsers are introduced new technologies like DOH, and DOQ, that allow systems to bypass traditional network configurations. While apps, like in the iOS ecosystem, are allow apps to define their own network preferences with DOH.
2 Device These are local settings on any device, typically found in network > settings for a specific network SSID. This can also include the use of encrypted options like DOT and DOH.
3 Router These are typically the gatway to the outside world, to the internet. We’re still working with traditional IPv4 and IPv6 options, but routers are starting to implemented new ecnryption technologies like DOH and DOT.

You read this table in order of priority. Priority 1 takes precedence over Priority 2, and 2 takes precedence over 3.

So if you configure a DNS-based filtering service on the router. Let’s say you configure the CleanBrowsing Family filter ( / .169) but Secure DNS is enabled by default (thanks Firefox), your network settings will be ignored and the browser will define how DNS is filtered.

The same applies for mobile devices. If the mobile OS allows the app developer to choose their own DNS architecture, ignoring the system or network, then the app will be able to introduce whatever content they want.

Rethinking Content Filtering Strategies

When thinking about your networks content filtering strategy be sure you’re accounting for this communication hierarchy within the DNS construct.

This means if you’re managing a fleet of devices, deploy your network controls, but also proactively deploy your device controls that take into account the recent changes. This might mean disabling encrypted DNS options in applications like browsers or even extensions (used for apps like VPNs and Proxies).

Mobile apps are a bit trickier, and the best recourse is taking a proactive approach to what a user is able to do on a device you own. Devices you don’t own are trickier, and in some instances will not have a remediation option.

If you’re using the CleanBrowsing paid options we do block known DOH services via the Proxy filter, and you can target DOT specifically at your router by targeting and blocking port 853 on the network.

Leave a Reply

Your email address will not be published. Required fields are marked *