How to use this glossary
You do not need to master every technical term before starting. Use the definitions to decide which layer applies to your setup, then return to the guide you were following.
- If a term describes a network path, check Friction, Routers, and Mobile data.
- If a term describes an app or browser path, check Browser policy and Apps and platforms.
- If a term describes passwords, recovery, admin, or reset paths, check Recovery audit and Trusted person.
Terms
| Term | Plain meaning | Why it matters |
|---|---|---|
| DNS | The lookup system that turns a site name into an internet address. | Filtered DNS can block categories before the browser connects. |
| Filtered DNS | A DNS resolver that refuses to resolve blocked categories or domains. | Useful as a broad layer, but bypassable if the device can choose another resolver. |
| DNS-over-HTTPS / DoH | DNS lookups sent inside normal encrypted web traffic. | Can bypass router DNS rules unless browser policy or device management controls it. |
| DNS-over-TLS / DoT | Encrypted DNS usually sent on TCP port 853. | Can bypass ordinary DNS controls unless the router blocks or redirects it. |
| Private DNS | Android's setting for DNS-over-TLS to a chosen provider hostname. | Can help cover Wi-Fi and mobile data, but must be protected from changes. |
| iCloud Private Relay | Apple privacy feature that hides some browsing/network information through relays. | Can change what network filters see, especially for Safari and Apple privacy paths. |
| VPN | An encrypted tunnel to another network or provider. | Often bypasses DNS, router logs, and local network filtering. |
| Proxy | A service or extension that fetches sites on your behalf. | May hide the final site from the browser, DNS filter, or router. |
| Router | The device that connects your home network to the internet. | Good place for whole-home filtering, but it does not control mobile data or other networks. |
| IPv4 / IPv6 | Two address systems used by internet devices. | If IPv6 DNS is unfiltered, devices may bypass an IPv4-only setup. |
| Admin account | An account that can install software and change system settings. | The daily user should usually be standard, not admin, when lockout matters. |
| Standard account | A limited account that cannot change major system settings without admin approval. | Reduces casual bypasses through installs, DNS changes, and policy edits. |
| Root / sudo | Linux/macOS ways to run commands with full system control. | Anyone with root or sudo can usually undo local blocking. |
| MDM | Mobile Device Management: a system for enforcing settings on devices. | Can make settings harder to remove, especially on supervised Apple or managed ChromeOS devices. |
| Supervised device | An Apple device enrolled in a stronger management state. | Allows stricter controls than a normal personal device, but setup and ownership matter. |
| Configuration profile | A file that installs settings such as DNS, VPN, certificates, or restrictions. | Useful only if the daily user cannot simply remove it. |
| Recovery key | A code or key used to regain access to an encrypted device or account. | If you hold it, you may still be able to regain control alone. |
| Allowlist | A rule that allows only approved sites, apps, or actions. | Stronger than trying to block every bad site, but more restrictive. |
| Blocklist | A list of denied sites, apps, domains, or categories. | Easier to start with, but misses new domains, mirrors, and broad-purpose platforms. |
| Factory reset | Resetting a device back to setup state. | Can remove local controls unless account recovery, activation locks, or management still apply. |
| External boot | Starting a computer from USB or another disk. | Can bypass or alter the installed operating system if firmware and disk encryption are weak. |
| In-app browser | A browser window inside another app. | May not follow the same controls as Safari, Chrome, Edge, or Firefox. |
| Remote desktop | Using one device to control or view another device. | Can bypass local controls if the remote computer is unrestricted. |
Four bypass buckets
Network path
DNS, VPN, proxy, Private Relay, hotspots, mobile data, guest Wi-Fi.
Browser/app path
Alternate browsers, in-app browsers, extensions, stores, side-loading.
Admin path
Admin, root, sudo, owner, MDM, router, package managers.
Recovery path
Backup codes, email, phone, recovery keys, password managers, reset buttons.
More guides
Use these when you need a checklist, a specific bypass closed, or a clearer handoff plan.
Test your setup
Browser, DNS, mobile data, recovery, and reset-path tests.
Setup recipes
Direct paths for phones, laptops, technical users, and whole-home setups.
Recovery audit
Find passwords, backup codes, router logins, and reset paths.
Browser policy
Chrome, Edge, and Firefox policy examples.
Mobile data
Close cellular, Private DNS, VPN, and hotspot gaps.
Apps and platforms
Search, YouTube, social apps, app stores, TVs, and in-app browsers.
Router recipes
DNS enforcement, guest networks, IPv6, Pi-hole, and AdGuard Home.
Urge plan
What to do before trying to bypass.
Trusted handoff worksheet
Printable inventory for passcodes, recovery paths, and refusal rules.
Glossary
Plain-language definitions for DNS, DoH, VPNs, MDM, recovery keys, and more.