Mobile Guardian provides DNS-layer content filtering as a network-level approach to blocking inappropriate or harmful content. Unlike browser-level filtering which inspects URLs within the Mobile Guardian app or browser extension, DNS-layer filtering intercepts domain name requests before a connection is established. If a domain is categorised as blocked, the device never connects to it, regardless of which app or browser is making the request.
DNS-layer filtering works across all platforms (iOS/iPadOS, macOS, Android, Windows, and ChromeOS) and provides protection even when traffic does not pass through the Mobile Guardian browser or extension.
What You Will Learn
- How DNS-layer filtering differs from browser-level and keyword filtering
- How to enable and configure DNS-layer filtering in a profile
- How to manage category-based blocking at the DNS level
- How to use Allowed Lists and Blocklists alongside DNS filtering
Prerequisites
- Devices enrolled in Mobile Guardian
- Admin access to the Mobile Guardian Dashboard
- A profile (Baseline or Conditional) assigned to your devices
How DNS-Layer Filtering Differs from Other Filtering Methods
Mobile Guardian offers multiple layers of content filtering. Each operates at a different point in the connection process:
| Filtering Layer | How It Works | Scope | Best For |
| DNS-layer filtering | Blocks domains at the network request level before a connection is established | All apps, all browsers, all traffic on the device | Broad protection across all applications, including non-browser apps |
| Web filter (browser-level) | Inspects URLs within the Mobile Guardian Safe Browser or browser extension | Mobile Guardian browser and supported browsers with the extension installed | Granular URL-level control, keyword filtering, page content analysis |
| Keyword filter | Scans page content for flagged words and phrases | Mobile Guardian browser and supported browsers | Blocking pages based on content rather than domain |
| YouTube filter | Category, channel, and video-level blocking within YouTube | YouTube content accessed through Mobile Guardian | Fine-grained YouTube content control |
DNS-layer filtering and browser-level filtering work together. DNS filtering provides the first line of defence across all device traffic, while browser-level filtering adds deeper inspection within supported browsers.
Note: DNS-layer filtering operates at the domain level, not the URL level. It can block example.com entirely but cannot block a specific page like example.com/specific-page. For page-level control, use the web filter (browser-level) Allowed List and Blocklist within your profile’s Safe Content settings.
Enabling DNS-Layer Filtering
Step 1: Navigate to Profile Settings
- Log in to your Mobile Guardian Dashboard.
- Navigate to Profiles: Click on “Profiles” in the left-hand navigation panel.
- Edit the profile: Click the pencil icon under the “Actions” column for the Baseline or Conditional profile you want to configure.
Step 2: Open Safe Content Settings
- Click on “Safe Content” in the profile configuration options.
- Click on the “DNS Filter” tab.
Step 3: Enable DNS Filtering
- Tick the “Enable DNS Filter” checkbox.
- The category selection panel will appear, showing available content categories for blocking.
Configuring Category-Based Blocking
DNS-layer filtering uses content categories to determine which domains are blocked. Categories are maintained and updated automatically based on domain classification databases.
Selecting Categories to Block
- Under the DNS Filter tab, review the available categories.
- Tick the checkbox next to each category you want to block. Common categories for education environments include:
| Category | Description |
| Adult Content | Pornography, explicit material, adult services |
| Gambling | Online gambling, betting, lotteries |
| Violence and Weapons | Graphic violence, weapons sales, extremist content |
| Drugs and Alcohol | Drug culture, substance sales, alcohol promotion |
| Social Media | Social networking platforms (Facebook, Instagram, TikTok, etc.) |
| Gaming | Online games, game downloads, game streaming |
| Malware and Phishing | Known malicious domains, phishing sites, command-and-control servers |
| Proxy and VPN | Anonymising services, web proxies, VPN providers |
| Streaming Media | Video and audio streaming services |
| File Sharing | Peer-to-peer networks, torrent sites, file hosting |
- Click “Save” to apply your category selections.
Note: Blocking the Proxy and VPN category is recommended for education environments. This prevents students from using proxy services to bypass other filtering layers.
Selecting All Categories
To apply a strict filtering posture, click “Select All” to block all available categories. You can then use the Allowed List to permit specific domains that are required for learning.
Managing Allowed Lists and Blocklists
DNS-layer filtering supports domain-level Allowed Lists and Blocklists that override category decisions.
Adding Domains to the Allowed List
If a domain is blocked by a category but is required for educational purposes (e.g. a streaming platform used for classroom content):
- Under the DNS Filter tab, click on “Allowed List”.
- Enter the domain name (e.g. classroom.google.com or khanacademy.org).
- Click “Add”.
- Click “Save”.
The domain will be permitted regardless of its category classification.
Adding Domains to the Blocklist
If a specific domain should be blocked regardless of its category (e.g. a gaming site not yet categorised):
- Under the DNS Filter tab, click on “Blocklist”.
- Enter the domain name.
- Click “Add”.
- Click “Save”.
The domain will be blocked regardless of its category classification.
Note: The Allowed List takes precedence over both the Blocklist and category blocks. If a domain appears on both lists, it will be allowed.
Platform-Specific Behaviour
DNS-layer filtering is applied consistently across platforms, but the enforcement mechanism differs by operating system.
| Platform | Enforcement Method | Coverage |
| iOS/iPadOS | DNS configuration profile payload pushed via MDM | All apps and browsers on the device |
| macOS | DNS configuration profile payload pushed via MDM | All apps and browsers on the device |
| Android | Private DNS or DNS configuration via Android Enterprise managed settings | All apps and browsers within the managed profile |
| Windows | DNS settings pushed via Mobile Guardian’s Intune integration | All apps and browsers on the device |
| ChromeOS | DNS settings configured via Google Admin console integration | All apps and browsers on the device |
Android-Specific Notes
- On Android devices enrolled with a work profile only (BYOD), DNS filtering applies within the work profile. Personal profile traffic may not be filtered unless the device is fully managed.
- On fully managed (school-owned) Android devices, DNS filtering applies to all traffic on the device.
ChromeOS-Specific Notes
- ChromeOS DNS settings can also be configured at the network level in the Google Admin console. If your school uses Google Admin for network configuration, ensure DNS settings do not conflict with the Mobile Guardian DNS filter.
How DNS Filtering Interacts with Other Profile Settings
DNS-layer filtering works alongside other Safe Content settings in the same profile:
- DNS filter checks first: When a device requests a domain, the DNS filter evaluates it against categories and lists.
- If allowed at DNS level: The connection proceeds and browser-level filters (web filter, keyword filter) inspect the content within supported browsers.
- If blocked at DNS level: The connection is refused before any content loads. The user sees a block page or connection error.
This layered approach means that even if a domain passes the DNS filter, it can still be blocked by the browser-level web filter based on URL path, keywords, or content analysis.
Verifying DNS Filtering Is Active
From the Mobile Guardian Dashboard
- Navigate to “Devices” > “All Devices”.
- Select a device to open the device details.
- Confirm the profile with DNS filtering enabled is assigned and active.
From the Device
- On the device, attempt to visit a domain in a category you have blocked (e.g. a known gambling site).
- The connection should fail or display a block notification, confirming DNS filtering is active.
From Web Filter Reports
- Navigate to “Reports” in the left-hand navigation panel.
- Select “Web Filter Reports”.
- Filter by Status: Blocked.
- DNS-blocked requests will appear in the report with the relevant category noted.
Troubleshooting
| Issue | Likely Cause | Resolution |
| Blocked sites still accessible | DNS filter not enabled in the active profile | Verify the DNS Filter checkbox is ticked and the profile is assigned to the device |
| Educational site incorrectly blocked | Domain categorised under a blocked category | Add the domain to the DNS filter Allowed List |
| DNS filter active but some apps bypass it | Device using a VPN or custom DNS settings | Block the Proxy and VPN category, and ensure device restrictions prevent manual DNS changes |
| Android personal profile traffic not filtered | Device enrolled as work profile only (BYOD) | Expected behaviour. DNS filtering on BYOD devices only covers the managed profile. For full coverage, use fully managed enrolment |
| ChromeOS DNS settings conflicting | Google Admin console DNS configuration overriding MG settings | Coordinate with your Google Workspace admin to align DNS settings |
| Block page not displaying (connection just times out) | Normal DNS blocking behaviour on some platforms | DNS blocks refuse the connection at the network level. Not all platforms display a custom block page for DNS-level blocks |
Best Practices
- Enable DNS-layer filtering on your Baseline profile to ensure all devices have a minimum level of protection at all times, regardless of which Conditional profile is active.
- Block the Malware and Phishing and Proxy and VPN categories at a minimum, even if your school takes a permissive approach to other categories. These protect device security and prevent filter bypass.
- Use the Allowed List rather than unblocking entire categories when a single domain within a category is needed. For example, allow vimeo.com specifically rather than unblocking the entire Streaming Media category.
- Combine DNS filtering with browser-level web filtering for comprehensive coverage. DNS filtering catches traffic from all apps; browser-level filtering adds URL-path and content inspection within browsers.
- Review Web Filter Reports weekly to identify domains that are being blocked frequently. Repeated blocks on educational domains indicate an Allowed List entry is needed.
- When setting up Conditional profiles (e.g. a less restrictive after-school profile), consider whether DNS categories should change between profiles or remain consistent. Core safety categories (Adult Content, Malware, Violence) should typically remain blocked in all profiles.
Please let us know if you found this helpful! Thanks for reading! 🙂