BlockMyself
Mobile data

Do not forget cellular data and hotspots.

A router block can work perfectly at home and still fail the moment Wi-Fi is turned off.

Cellular Hotspots Private DNS

Router filters do not cover cellular data

A home DNS or router setup applies only while the device uses that network. Phones and tablets need their own controls for cellular data, hotspots, VPNs, and app installs.

  1. Test the device on Wi-Fi.
  2. Turn Wi-Fi off.
  3. Test again on mobile data.
  4. Try installing a VPN, proxy browser, alternate browser, and alternate app store.
  5. Try enabling hotspot or joining another hotspot if that is available to you.
  6. Move carrier, app-store, and account recovery controls to the trusted person where practical.

iPhone and iPad mobile-data hardening

  1. Finish the iPhone/iPad steps in Guardrails.
  2. Open Settings -> Screen Time -> Content & Privacy Restrictions.
  3. Block Installing Apps and Deleting Apps if app changes are a bypass.
  4. Set Account Changes and Passcode Changes to Don't Allow where available.
  5. Set Cellular Data Changes to Don't Allow where available.
  6. Remove VPN, proxy, alternate browser, and hotspot-helper apps you do not need.
  7. Check Settings -> General -> VPN & Device Management for VPN or DNS profiles.
  8. Use a DNS profile or supervised/MDM profile only if the trusted person controls the removal path.
  9. Have the trusted person control the Screen Time passcode and Apple Account recovery path.
  10. Test Safari, remaining browsers, in-app browsers, Wi-Fi, mobile data, and Personal Hotspot.

Check iCloud Private Relay and Limit IP Address Tracking

Apple network privacy features can change what network filters see. Check both global iCloud settings and each Wi-Fi or cellular network you use.

  1. Open Settings.
  2. Tap your name, then tap iCloud.
  3. Check whether Private Relay is on.
  4. For Wi-Fi, open Settings -> Wi-Fi, tap the info button next to the network, then check Limit IP Address Tracking.
  5. For cellular, open Settings -> Cellular, select the line or Cellular Data Options, then check Limit IP Address Tracking.
  6. If Private Relay bypasses your filter, turn it off for that network or use a supervised/MDM setup controlled by the trusted person.
  7. Test Safari on Wi-Fi and on cellular data after the change.
Private Relay mostly affects Safari and Apple network privacy behavior. Still test every remaining browser, in-app browser, DNS profile, VPN profile, and cellular path.

Apple Private Relay network guidance

Android mobile-data hardening

  1. Finish the Android steps in Guardrails.
  2. Use Family Link app approval for new installs.
  3. Remove extra browsers, VPNs, proxy apps, alternate app stores, and remote desktop apps.
  4. Open Settings -> Network & internet -> Private DNS and set a family-safe hostname if that fits your filtering provider.
  5. On Samsung, check Connections -> More connection settings -> Private DNS.
  6. Turn off developer options if they are enabled.
  7. If the device is rooted or has an unlocked bootloader, treat local controls as weak and rely more on trusted-person/account control.
  8. Have the trusted person control the Family Link parent account and recovery path.
  9. Test Chrome, remaining browsers, YouTube, Google Search, Wi-Fi, mobile data, and hotspot.

Hotspots and second networks

Ways people bypass router rules

  • Turn off Wi-Fi and use cellular data.
  • Use another phone's hotspot.
  • Join a neighbor, workplace, school, public, or guest network.
  • Use a travel router or USB tether.
  • Use a VPN that hides DNS and traffic from the home router.

How to reduce the gap

  • Use device-level controls, not router-only controls.
  • Block new app installs and VPN/profile changes.
  • Have the trusted person control carrier account settings if practical.
  • Remove saved Wi-Fi networks that are bypass paths.
  • Test with Wi-Fi off, not only on your home network.

Carrier and account-level considerations

Carrier tools vary and change often. Treat them as an extra layer, not the only layer.

  1. Check whether your carrier offers account-level content filtering, line restrictions, hotspot restrictions, or parental controls.
  2. Have the trusted person own or help secure the carrier account login if carrier settings matter.
  3. Disable hotspot or tethering if that is a bypass and your plan/device supports controlling it.
  4. Confirm whether the carrier setting applies to cellular data only, Wi-Fi only, or both.
  5. Retest after SIM changes, eSIM changes, phone upgrades, and plan changes.

Mobile-data test

  1. Open the blocked test domain on home Wi-Fi.
  2. Turn Wi-Fi off.
  3. Open the same test domain on cellular data.
  4. Try the same test in every remaining browser and in-app browser.
  5. Try to install a new browser or VPN. Stop at the approval prompt.
  6. Record what failed and fix that exact layer.

Use these when you need a checklist, a specific bypass closed, or a clearer handoff plan.

Test your setup

Browser, DNS, mobile data, recovery, and reset-path tests.

Setup recipes

Direct paths for phones, laptops, technical users, and whole-home setups.

Recovery audit

Find passwords, backup codes, router logins, and reset paths.

Browser policy

Chrome, Edge, and Firefox policy examples.

Mobile data

Close cellular, Private DNS, VPN, and hotspot gaps.

Apps and platforms

Search, YouTube, social apps, app stores, TVs, and in-app browsers.

Router recipes

DNS enforcement, guest networks, IPv6, Pi-hole, and AdGuard Home.

Urge plan

What to do before trying to bypass.

Trusted handoff worksheet

Printable inventory for passcodes, recovery paths, and refusal rules.

Glossary

Plain-language definitions for DNS, DoH, VPNs, MDM, recovery keys, and more.