Most of the time when you set up a router, the process only involves setting up a Wi-Fi name and password. If you stop there, you’re missing out.
Applying a DNS filter can provide an incredible level of control—and protection—for your network that you wouldn’t have otherwise. There are dozens of different DNS servers and ways you can set up a DNS filter, but there are three I use regularly.
The first thing I change are my DNS settings
DNS filtering is a great way to improve your network
Whenever I set up a new router, there are a few basic things I always do:
- Add your own secure administrative password
- Set the name and password for the Wi-Fi
- Update the firmware
However, above and beyond the basics, there is something else I do: tweak the DNS settings. By changing your DNS server, you can enable DNS filtering.
DNS filtering is one of the easiest ways to add a layer of protection across your entire network without needing to install software on every single device. A DNS filter can block ads, trackers, phishing sites, some cryptominers, and even some malware.
QuizDNS servers & how the internet finds its way
Trivia challenge
From 8.8.8.8 to how your browser finds cat videos — find out how much you really know about DNS.
DNS BasicsIP AddressesSecurityProvidersHistory
Correct! DNS stands for Domain Name System — the internet’s giant phone book that translates human-friendly domain names like ‘howtogeek.com’ into IP addresses computers can actually use. Without it, you’d need to memorize a string of numbers every time you wanted to visit a website.
Not quite — DNS stands for Domain Name System. It acts like the internet’s phone book, converting easy-to-remember domain names into the numerical IP addresses that computers use to route traffic. It’s one of the most fundamental building blocks of the modern web.
Before DNS was invented, how did computers resolve hostnames on the early internet (ARPANET)?
That’s right! Before DNS, every computer on ARPANET relied on a file called HOSTS.TXT maintained by the Stanford Research Institute. Admins had to manually download the updated file to get new hostname mappings — not exactly scalable once the network started growing rapidly.
The answer is HOSTS.TXT. Before DNS existed, a single text file maintained at the Stanford Research Institute mapped all hostnames to addresses, and every machine had to download it periodically. As the internet grew, this system became completely unmanageable, which is exactly what motivated the creation of DNS in 1983.
The famous DNS server at IP address 8.8.8.8 is operated by which company?
Correct! 8.8.8.8 (and its companion 8.8.4.4) is Google’s Public DNS service, launched in 2009. It was one of the first major free public DNS resolvers and became incredibly popular as a fast, reliable alternative to ISP-provided DNS servers.
The 8.8.8.8 address belongs to Google’s Public DNS, launched in 2009. Google made 8.8.8.8 easy to remember on purpose. Cloudflare runs 1.1.1.1, OpenDNS uses 208.67.222.222, and Microsoft’s Azure DNS exists but isn’t the same service — each provider pitches slightly different benefits like speed, privacy, or filtering.
Cloudflare’s DNS resolver at 1.1.1.1 launched in 2018 with a strong emphasis on what selling point?
Spot on! Cloudflare launched 1.1.1.1 on April 1, 2018 (yes, really) with privacy as its headline feature, promising never to log users’ IP addresses or sell browsing data. It was independently audited by KPMG to back up those claims, which set it apart from many competitors.
Cloudflare’s big pitch for 1.1.1.1 was privacy — specifically the promise to never log users’ IP addresses or sell their data. While 1.1.1.1 is also very fast (often ranking #1 in independent speed tests), privacy was the headline claim at launch, backed by a third-party audit from KPMG. Ad blocking is available via a separate 1.1.1.2 address, but it’s not on by default.
What is a DNS ‘resolver’ (also called a recursive resolver)?
Exactly right! A recursive resolver (like 8.8.8.8 or 1.1.1.1) is the middleman that takes your query and chases down the answer by contacting root servers, TLD servers, and authoritative nameservers — then delivers the final IP address back to you. It does all the heavy lifting so you don’t have to.
A recursive resolver is the server that does the legwork on your behalf — it contacts root nameservers, top-level domain servers, and authoritative nameservers in sequence until it finds the IP address you need. The authoritative nameserver is the one that actually holds the official records. Your resolver is essentially the internet’s investigator, tracking down answers one clue at a time.
What type of attack involves poisoning a DNS cache with false records to redirect users to malicious websites?
Correct! DNS spoofing, also known as cache poisoning, tricks a DNS resolver into storing a fraudulent IP address for a legitimate domain. When users then request that domain, they’re silently redirected to a malicious server — which is exactly why DNSSEC was developed to cryptographically sign DNS records.
The attack you’re thinking of is DNS spoofing or cache poisoning. An attacker injects fake DNS records into a resolver’s cache, causing anyone who queries that resolver to be directed to the wrong — often malicious — IP address. DNSSEC (DNS Security Extensions) was designed specifically to fight this by adding cryptographic signatures to DNS records.
Which DNS record type is responsible for mapping a domain name to an IPv4 address?
Right on! The ‘A’ record (short for Address record) is the most fundamental DNS record type, mapping a hostname directly to a 32-bit IPv4 address. Its cousin, the AAAA record, does the same job for 128-bit IPv6 addresses — you’ll sometimes see both configured for the same domain.
The correct answer is the A record (Address record), which maps a domain to an IPv4 address. An MX record handles mail routing, a CNAME is an alias pointing one domain name to another, and TXT records store arbitrary text — often used for things like SPF email verification or domain ownership confirmation. The A record is the bread-and-butter of DNS.
DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) both aim to solve the same core problem. What is it?
Absolutely correct! Traditional DNS queries travel as plain, unencrypted text — meaning your ISP, network admin, or anyone monitoring traffic can see every domain you look up. DoH wraps DNS in HTTPS (using port 443), while DoT uses a dedicated TLS connection (port 853), both making your browsing queries much harder to snoop on.
The core problem that DoH and DoT solve is that standard DNS queries are completely unencrypted and readable by anyone watching your network traffic — your ISP, a coffee shop Wi-Fi operator, or a government. DNS-over-HTTPS hides queries inside normal HTTPS traffic, while DNS-over-TLS uses a dedicated encrypted channel. Both approaches protect your privacy at the DNS layer, which is surprisingly often overlooked.
Your Score
/ 8
Thanks for playing!
How does DNS filtering work?
A DNS server is what translates a website name you type into your browser into the IP address computers use to communicate over the internet. When you use DNS filtering, the computer running the filter checks the domain against a blocklist. If the site is allowed, it loads normally; if it’s on the blocklist, the filter prevents your device from connecting.
By applying a filter at the router level, you apply those rules to every device on the network. This is especially useful for protecting less secure “smart” devices such as smart TVs, gaming consoles, and the ever-increasing number of IoT gadgets.
While DNS filtering is a useful layer in your protection plan, it isn’t a comprehensive security solution, or even the best security approach in isolation. Don’t assume it keeps you completely safe.
Set up a Pi-hole or AdGuard Home
Local malware protection and adblocking
If you like to tinker or want total control over our DNS filter, I’d recommend using something like a Pi-hole or AdGuard Home.
They act as a local DNS filter instead of relying on third-party services.
I run my Pi-hole on a Pi Zero 2W, but you could install the software on a Raspberry Pi, a mini PC, or within a Docker container on a NAS. Fortunately, DNS filtering doesn’t require much processing power, so it can run on almost anything. The important things to consider are power draw and stability—your DNS filter needs to run 24/7 for years. Don’t pick an old power-hungry PC that is prone to crashing.
You’ll also need to assign your Pi-hole (or other local DNS filter) a static IP address in your router’s settings to ensure it doesn’t get reassigned automatically. If that were to happen, your router would be looking for a DNS filter where there isn’t one.
The results are well worth the time it takes to set up. It is customizable, private, secure, and doesn’t require a subscription of any kind.
Use Cloudflare’s special DNS servers
1.1.1.2 and 1.1.1.3 offer extra protection
If you don’t want to set up your own local DNS filter, and you don’t need fine control over the filters, then Cloudflare is a good option. You don’t need an account or any extra hardware, all you need to do is change a few numbers in your router settings. If you want to block malware, use 1.1.1.2 (1.0.0.2 as the secondary). If you want to block both malware and adult content, use with 1.1.1.3 (1.0.0.3 for the secondary).
To change it, open your router’s settings using the app or by typing 192.168.0.1 or 10.0.0.1 in your browser’s address bar. From there, look around until you find the DNS settings and replace your ISP’s servers with Cloudflare’s addresses, then save and reboot.
How to Find Your Router’s IP Address on Any Computer, Smartphone, or Tablet
Trying to connect to your router?
Cloudflare is a very convenient option. The trade-off is that you get no customization or control. You can’t create per-device profiles or add your own blocklists, you are simply relying on Cloudflare’s definitions of what should be blocked.
If you want, you can always manually set the DNS server on each device rather than your router, but you lose the benefit of a network-wide approach.
NextDNS offers granular control
Fine-tune your DNS filters without running a Pi-hole
NextDNS is a great choice if you want something easier to set up and use than a Pi-hole but with greater flexibility than Cloudflare. It provides cloud-based DNS filtering with however much manual control you want. You can create custom profiles, privacy blocklists, parental controls, and get detailed analytics without needing to set up and run a Raspberry Pi.
You can also configure individual phones or laptops so specific filters are always enabled on that device, even when you leave your local network.
It’s a good middle ground for anyone who wants custom rules without the setup required for self-hosting. The only slight downside is cost. NextDNS gives you 300,000 filtered queries (which may be enough for one person with light to moderate internet use) per month. After that, it costs $2 per month to continue using the filter, though the regular DNS server is free to use.
Considering what you get compared to the cost of self-hosting hardware, it is a very reasonable price.
A DNS filter isn’t everything
Changing your DNS is one of the fastest, easiest ways to improve the security and usability of your network.
If you aren’t sure where to start, I’d recommend beginning with something simple like Cloudflare. If you find yourself wanting more control, switch to NextDNS or pick up a Raspberry Pi Zero 2W for an inexpensive Pi-hole.
It is important to remember that while DNS filtering is a helpful security layer, it isn’t magic. New malicious domains pop up all the time, and novel exploits are discovered regularly. Your DNS filter can’t protect you from those.
To properly secure your network, you should use a DNS filter, ensure you download firmware updates, use the best Wi-Fi encryption standard your router supports, and create unique passwords for both your Wi-Fi and your administrative panel.
Stephan is the sports journalist for the Maple Grove Report.
