BlockMyself
Router recipes

Make the home network enforce the rule.

Router controls can add serious friction for devices on your network, especially when clients cannot choose their own DNS.

DNS enforcement OpenWrt pfSense UniFi

Router controls are powerful but limited

A router can make DNS bypass harder for devices on your home network. It cannot control mobile data, another Wi-Fi network, a hotspot, or a person who can reset the router and reclaim admin.

  1. Choose one filtering resolver or local filtering system.
  2. Set router DHCP DNS for IPv4 and IPv6.
  3. Block or redirect client DNS on TCP/UDP port 53.
  4. Block DNS-over-TLS on port 853 if it is not part of your design.
  5. Use browser policy for DNS-over-HTTPS because DoH uses normal HTTPS port 443.
  6. Apply the same rule to guest networks and VLANs.
  7. Have the trusted person hold router, ISP, mesh-app, and DNS-dashboard recovery.

Choose the resolver model

ModelUse whenTrusted-person control
Public family DNSYou want simple adult-content filtering with minimal maintenance.Trusted person controls router admin and any DNS account.
NextDNS / paid DNS dashboardYou want logs, profiles, schedules, allowlists, blocklists, and device-specific rules.Trusted person owns account, recovery, and 2FA.
AdGuard Home or Pi-holeYou want local control and can maintain a small server.Trusted person controls admin UI, server login, and blocklist changes.
pfSense / OPNsense / OpenWrtYou want firewall-grade DNS interception and VLAN-aware rules.Trusted person controls firewall admin and backups.

Generic router recipe

  1. Log into the router as administrator.
  2. Change the router admin password. Do not let the daily user know it.
  3. Set WAN or DHCP DNS to the filtering resolver.
  4. If the router has separate LAN DHCP DNS settings, set those too.
  5. Set IPv6 DNS or disable IPv6 only if you understand the tradeoff and cannot secure it.
  6. Turn off guest networks you do not use.
  7. Apply equivalent DNS rules to every guest network, VLAN, SSID, and child network.
  8. Create a firewall rule to block or redirect outbound DNS to any resolver except your chosen resolver.
  9. Block outbound TCP port 853 if you are not intentionally using DNS-over-TLS.
  10. Disable UPnP if it is not needed.
  11. Save a backup of the router configuration with the trusted person.
  12. Run the DNS section of Test your setup.

UniFi checklist

UniFi menus change across Network app versions. Use this as a checklist rather than exact button text.

  1. Open UniFi Network.
  2. Set DNS servers on the WAN/network/DHCP settings for the client network.
  3. Check whether IPv6 is enabled and set IPv6 DNS where applicable.
  4. Create traffic or firewall rules that block client DNS to external resolvers on TCP/UDP port 53, except your chosen resolver.
  5. Block TCP port 853 to prevent DNS-over-TLS unless you intentionally use it.
  6. Apply rules to each LAN, guest network, VLAN, and Wi-Fi network.
  7. Use Traffic & Firewall Rules to block known VPN, proxy, or Tor categories if the feature is available and accurate enough for your use case.
  8. Have the trusted person control the UniFi console account, local admin account, cloud account, recovery email, and backup codes.
  9. Test from a client using nslookup example.com 1.1.1.1. If it answers, DNS interception/blocking is incomplete.

OpenWrt checklist

  1. Open LuCI.
  2. Go to Network -> DHCP and DNS and set DNS forwardings or DHCP option DNS to the filtering resolver or local resolver.
  3. Go to Network -> Firewall -> Port Forwards.
  4. Add a redirect for LAN TCP/UDP port 53 to your router or local DNS server.
  5. Repeat for IPv6 where your configuration requires it.
  6. Add a traffic rule to reject outbound TCP port 853 if you are not using DNS-over-TLS.
  7. Apply the same logic to guest zones and VLANs.
  8. Keep root password and SSH keys with the trusted person if this is lockout.
  9. Back up the config and store it with the trusted person.
OpenWrt can lock you out if firewall rules are wrong. Make one change at a time and keep local admin recovery available to the trusted person.

pfSense / OPNsense checklist

  1. Enable the DNS Resolver or DNS Forwarder/Unbound path you intend to use.
  2. Configure upstream filtering DNS or resolver behavior.
  3. Create NAT port-forward rules to capture client DNS requests on TCP/UDP port 53 and send them to the firewall or local resolver.
  4. Place pass rules above block rules where required by your firewall platform.
  5. Block external client DNS where you do not redirect it.
  6. Block TCP port 853 unless you intentionally provide DNS-over-TLS through the firewall.
  7. Apply rules to every internal interface: LAN, guest, VLANs, Wi-Fi, and lab networks.
  8. Have the trusted person control admin credentials, config backups, and recovery.
  9. Test from each interface with direct DNS queries to known external resolvers.

Consumer router checklist: Eero, ASUS, TP-Link, Netgear, Google/Nest Wi-Fi, Xfinity, ISP routers

QuestionWhat to look forIf unavailable
Can I set DNS?Internet/WAN DNS, LAN DHCP DNS, or advanced network DNS.Set DNS on each device or use a more capable router.
Can I set IPv6 DNS?IPv6, DHCPv6, Router Advertisement, or advanced IPv6 DNS fields.IPv6 may bypass IPv4-only DNS filtering. Consider disabling IPv6 only if you understand the impact.
Can I block outbound port 53?Firewall, access control, parental controls, or advanced rules.Clients may manually choose another DNS resolver.
Can I block port 853?Firewall or advanced security rules.Clients may use DNS-over-TLS if apps support it.
Can I disable guest networks?Guest Wi-Fi settings and extra SSIDs.Guest traffic may bypass your main-network rules.
Who can reset the router?Physical reset button, ISP app, mesh app, admin password, cloud account.Use a trusted person and consider a router with stronger admin controls.

Pi-hole and AdGuard Home notes

  1. Install the resolver on a reliable device that stays on.
  2. Set the resolver's upstream DNS to the filtering provider or filtering rules you trust.
  3. Set router DHCP DNS to the local resolver.
  4. Block or redirect client DNS that tries to skip the local resolver.
  5. Protect the admin UI with a password the trusted person controls.
  6. Keep the server login, SSH keys, container dashboard, and update path away from the daily user if this is lockout.
  7. Use allowlists carefully. Overblocking can break school, work, banking, authentication, updates, and messaging.
  8. Back up the resolver config and blocklists.

Router and firewall references

pfSense DNS redirect recipe

Netgate documentation for redirecting client DNS requests.

OPNsense Unbound DNS

OPNsense documentation for DNS resolver behavior and enforcement notes.

OpenWrt DNS hijacking

OpenWrt guidance for intercepting DNS traffic.

UniFi Traffic & Policy Management

Ubiquiti's current policy-management documentation.

Use these when you need a checklist, a specific bypass closed, or a clearer handoff plan.

Test your setup

Browser, DNS, mobile data, recovery, and reset-path tests.

Setup recipes

Direct paths for phones, laptops, technical users, and whole-home setups.

Recovery audit

Find passwords, backup codes, router logins, and reset paths.

Browser policy

Chrome, Edge, and Firefox policy examples.

Mobile data

Close cellular, Private DNS, VPN, and hotspot gaps.

Apps and platforms

Search, YouTube, social apps, app stores, TVs, and in-app browsers.

Router recipes

DNS enforcement, guest networks, IPv6, Pi-hole, and AdGuard Home.

Urge plan

What to do before trying to bypass.

Trusted handoff worksheet

Printable inventory for passcodes, recovery paths, and refusal rules.

Glossary

Plain-language definitions for DNS, DoH, VPNs, MDM, recovery keys, and more.