Documentation — DNSAFE

Getting Started

How DNSAFE works

Every time a device loads a website or app, it first asks a DNS resolver to look up the domain name. DNSAFE acts as that resolver — before returning an answer, it checks the domain against threat intelligence databases covering malware, phishing, ransomware, ads, trackers, and more.

Blocked domains receive a non-routable response, so the connection never happens. Everything else resolves normally. There is no software to install, no VPN tunnel, and no latency penalty for allowed traffic.

ℹ️ DNSAFE filters at the network level. It protects every app on a device — browsers, email clients, game launchers, smart TVs — not just web traffic.

DNS resolver addresses

Use any of the three resolver protocols below. All three apply the same filtering policy tied to your registered device IPs.

Standard DNS 3.12.124.91

DNS-over-HTTPS https://api.dnsafe.net/dns-query

DNS-over-TLS api.dnsafe.net port 853

Quick start

1

Create an account Sign up at my.dnsafe.net. The free plan protects one device with malware and phishing blocking.

2

Register your device IP Go to Devices in the portal and add your device's public IP address. Your filtering policy applies to traffic from that IP. Visit api.ipify.org to find your current public IP.

3

Point your DNS to DNSAFE Change the DNS settings on your device or router to 3.12.124.91. See the platform guides below for step-by-step instructions per device type.

4

Verify it's working After changing DNS, visit the Dashboard in your portal. DNS queries should appear within a minute or two. If nothing shows, confirm your device's public IP matches what you registered.

💡 On a dynamic IP? Your ISP may change your public IP periodically. Update your registered device IP in the portal whenever this happens, or consider a router-level setup where the router IP stays stable.

Platform Guides

Select your platform to see step-by-step DNS configuration instructions.

Windows 10 / 11

1

Open Network SettingsPress Win + I → Network & Internet → Wi-Fi (or Ethernet) → click your active connection name.

2

Edit DNSScroll to DNS server assignment → click Edit → switch dropdown to Manual.

3

Enter the resolverEnable IPv4, set Preferred DNS to 3.12.124.91. Leave Alternate DNS blank or set a public fallback.

4

SaveClick Save. Open a browser and test a known blocked site — or visit your portal Dashboard.

ℹ️ For DoH on Windows 11, you can set DNS-over-HTTPS directly: in the DNS edit dialog, select HTTPS as the encryption method and enter https://api.dnsafe.net/dns-query.

macOS

1

Open System SettingsApple menu → System Settings → Network.

2

Select your interfaceClick your active connection (Wi-Fi or Ethernet) → Details…

3

Set DNS serversClick the DNS tab → click + under DNS Servers → enter 3.12.124.91 → click OK.

4

ApplyClick Apply. Flush the DNS cache with: sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

iOS / iPadOS

1

Open Wi-Fi settingsSettings → Wi-Fi → tap the ℹ️ icon next to your network.

2

Configure DNSScroll to DNS → tap Configure DNS → select Manual.

3

Add DNSAFETap Add Server → enter 3.12.124.91. Remove any existing servers you want to replace.

4

SaveTap Save in the top right. Reconnect to Wi-Fi to apply.

💡 iOS only allows custom DNS per Wi-Fi network. For cellular traffic, use a DoH profile — Apple supports encrypted DNS profiles installed via Settings.

Android

Android 9+ supports system-wide Private DNS (DNS-over-TLS), which is the easiest way to use DNSAFE on Android.

1

Open Private DNS settingsSettings → Network & Internet → Private DNS (exact path varies by manufacturer).

2

Select Private DNS providerTap Private DNS provider hostname.

3

Enter DNSAFE hostnameEnter api.dnsafe.net and tap Save.

This uses DNS-over-TLS on port 853 and applies to all network interfaces (Wi-Fi and cellular).

ℹ️ On older Android versions, set a static DNS of 3.12.124.91 per Wi-Fi network: long-press your Wi-Fi network → Manage network settings → Advanced → IP settings: Static → set DNS 1.

Router (whole-network setup)

Setting DNS at the router level protects every device on your network automatically — phones, TVs, game consoles — without configuring each one individually.

1

Log in to your routerOpen a browser and navigate to your router's admin panel — usually 192.168.1.1 or 192.168.0.1.

2

Find DNS settingsLook under Internet, WAN, or DHCP settings. The option is often labelled Primary DNS or DNS Server.

3

Enter DNSAFE resolverSet Primary DNS to 3.12.124.91. Set Secondary DNS to a public fallback such as 1.1.1.1 if desired.

4

Save and rebootSave the settings. Reboot the router. Devices that renew their DHCP lease will automatically use DNSAFE.

⚠️ Register your router's external IP address (not the LAN IP like 192.168.x.x) in the DNSAFE portal. Visit api.ipify.org from any device on the network to find it.

DNS-over-HTTPS & DNS-over-TLS

Standard DNS (UDP port 53) is unencrypted — your ISP and anyone on the same network can see every domain you look up. Encrypted DNS protocols prevent this.

Protocol	Port	Best for
Standard DNS	53 (UDP/TCP)	Routers, older devices, simple setup
DoH Recommended	443 (HTTPS)	Browsers, Windows 11, macOS 12+, apps
DoT	853 (TLS)	Android Private DNS, Linux systemd-resolved

DNS-over-HTTPS (DoH)

DoH endpoint: https://api.dnsafe.net/dns-query

Firefox

1

Open Settingsabout:preferences → General → scroll to Network Settings → Settings…

2

Enable DoHCheck Enable DNS over HTTPS → choose Custom → enter https://api.dnsafe.net/dns-query → click OK.

Chrome / Edge / Brave

1

Open SettingsNavigate to Settings → Privacy and security → Security.

2

Enable Secure DNSEnable Use secure DNS → select With Custom → enter https://api.dnsafe.net/dns-query.

Windows 11 (system-wide DoH)

1

Network SettingsSettings → Network & Internet → your connection → Edit DNS.

2

Set Preferred DNSEnter 3.12.124.91 — then under DNS over HTTPS, choose On (automatic template) or enter the template manually: https://api.dnsafe.net/dns-query.

DNS-over-TLS (DoT)

DoT hostname: api.dnsafe.net — Port: 853

Android (Private DNS)

See the Android platform guide above — Private DNS uses DoT automatically.

Linux — systemd-resolved

Edit /etc/systemd/resolved.conf:

[Resolve]
DNS=3.12.124.91
DNSOverTLS=yes

Then restart: sudo systemctl restart systemd-resolved

Custom Rules

Custom rules let you override the default filtering policy for specific domains. An allow rule forces a domain to resolve normally even if DNSAFE would otherwise block it. A block rule prevents a domain from resolving even if it isn't on a default block list.

ℹ️ Rules take effect within a few minutes of being added. You can add rules from the Rules page in your portal.

Allow rules — unblocking a domain

Use an allow rule when DNSAFE is blocking a site you want to access.

1

Go to RulesIn your portal, click Rules in the sidebar.

2

Add a ruleClick + Add Rule → set action to Allow → enter the domain (e.g. example.com).

3

SaveClick Add Rule. The domain will resolve normally within a few minutes.

Block rules — blocking a specific domain

Use a block rule to prevent access to a domain not covered by the default block lists.

1

Go to RulesIn your portal, click Rules in the sidebar.

2

Add a ruleClick + Add Rule → set action to Block → enter the domain.

3

SaveClick Add Rule. The domain will stop resolving within a few minutes.

💡 Enter the base domain only — ads.example.com, not https://ads.example.com/path. Custom rules do not support wildcards, but blocking a parent domain (e.g. example.com) blocks all subdomains too.

How rules interact with block lists

Scenario	Result
Domain on a block list, no custom rule	Blocked
Domain on a block list, allow rule added	Allowed (rule wins)
Domain not on any block list, block rule added	Blocked (rule wins)
Domain not on any block list, no custom rule	Allowed