Filtered DNS is one of the best free moves in blocking: point a device at a family resolver and thousands of adult domains stop resolving across every browser and app at once. It has one fatal weakness as a standalone fix, the setting belongs to you, and a setting you can change is a setting you will change at 1 a.m. So the real task is not choosing a DNS, it is pinning it, removing the toggle rather than trusting yourself not to flip it. TKO’T does this by enforcing DNS at the system level so the dial is gone, free, and the same principle applies device by device below. Defense-only: this locks the door, it does not teach the bypass.
Pin it on each device
iPhone. The strong move is a locked configuration profile, the same system-level mechanism the iPhone setup uses, which can set the DNS and resist casual change; Apple documents how configuration-profile enforcement holds managed settings in place. Pair it with a Screen Time passcode held by someone else so network settings cannot simply be reset, and the resolver stays put even on a kid’s phone.
Mac and Windows. Changing DNS or swapping a network adapter is an admin action, so the non-admin daily account does the heavy lifting here too: a standard user cannot edit network settings or add a new adapter to route around the filter. This is the same single move that closes most computer kill switches, doing one more job.
The router. Setting filtered DNS on the router covers every device on the network in one place, but it dies the night you log into the admin page and change it back. Hand the router admin password to someone you trust, store it sealed, and the network default becomes something you cannot quietly undo. Treat the router as a strong layer, never the only one, because cellular data walks straight around it.
The encrypted-DNS gap nobody mentions
Here is the layer most guides miss, and it quietly defeats all of the above: modern browsers can run their own DNS over HTTPS, sending lookups to a resolver of the browser’s choosing through an encrypted channel that ignores your system DNS entirely. You can pin the system resolver perfectly and a browser with DoH on will still sail past it. So closing this is not optional:
- In each browser’s settings, turn secure DNS off or point it at your filtering resolver, then lock that with a non-admin account so it cannot be flipped back.
- On managed devices, a profile or policy can disable browser DoH centrally.
- And the catch-all: a screen-level blocker judges what renders no matter which resolver answered the lookup, which is why DNS pinning and screen detection belong together. DNS is the cheap bulk filter; the screen layer is the backstop for the requests that found another path.
Why pinning beats willpower
The whole point is the same arithmetic as every other lock here: a DNS change you can make in fifteen seconds loses to an urge, and a DNS change that requires an admin password you do not hold, a profile you cannot remove, or a router login you gave away, takes longer than the urge lasts. That is the commitment-device move applied to a network setting, your clear-headed self pins the resolver so your weak-moment self has no dial to turn. Pin DNS, close DoH, hold the credentials elsewhere, and back it with a screen layer; that stack is what turns a free filter into one that actually holds.
Frequently asked questions
How do I lock DNS on iPhone so I can’t just change it back?
Use a locked configuration profile to set the resolver at the system level, and put a Screen Time passcode held by someone you trust over the network settings so they cannot be reset. That removes the toggle rather than relying on you not to flip it. TKO’T enforces DNS this way by design, free, so on iPhone the dial is gone instead of just discouraged.
How do I stop someone from changing DNS or network adapters to bypass the filter on a computer?
Make the daily account a standard, non-admin user: editing DNS, swapping a network adapter, or adding a new connection are all admin actions a standard account cannot perform. Hold the admin password elsewhere. That single boundary closes the network-settings bypass on both Mac and Windows without locking any individual setting one by one.
How do I block DNS over HTTPS in the browser so it can’t bypass my router?
Turn secure DNS (DNS over HTTPS) off in each browser’s settings or point it at your filtering resolver, then lock that choice with a non-admin account so it cannot be reversed; managed profiles can disable browser DoH centrally. This matters because DoH otherwise routes lookups around your system and router DNS entirely, which is the gap most setups leave wide open.
How do I lock my router admin page so I can’t change the DNS back at night?
Change the router admin password and hand it to someone you trust, storing it sealed somewhere inconvenient, so the network default cannot be quietly reverted in a weak moment. Keep the router as one layer only, though: it cannot see cellular data or encrypted DNS, so pair it with on-device pinning and a screen-level blocker for full coverage.
Isn’t pinning DNS pointless if a screen blocker already exists?
No, they do different jobs and are strongest together: DNS pinning is the cheap bulk filter that kills thousands of known domains before anything loads, while the screen layer is the backstop for requests that found another resolver or a new domain. Pinning reduces how much the screen layer has to catch; the screen layer covers what pinning cannot. Run both.