Every parent with kids old enough to hold a tablet has the same question: how do I filter the internet without breaking everything else in the house? The answer depends on how much control you want, how technical you are, and whether your network supports it.
Here’s the practical guide — what actually works, what breaks things, and why router-level controls beat per-device apps every time.
Why per-device apps are a losing battle
The first thing most parents try is installing a filtering app on each device: Bark, Qustodio, Circle, Screen Time, Family Link. These work — until they don’t.
- Kids figure out how to disable or uninstall them (especially on Android and desktop)
- They don’t cover every device — what about the smart TV, the game console, the friend’s tablet that connects to your Wi-Fi?
- Each app manages one device. With 3 kids and 6+ devices, you’re managing a mess of subscriptions and dashboards
- They often conflict with VPNs, school MDM profiles, and app updates
- Monthly subscriptions add up ($5–$15/month per family, per service)
Per-device apps have their place (especially for monitoring and screen-time reporting), but they shouldn’t be your only layer. The network is a better enforcement point because every device on the network goes through it, regardless of what’s installed on the device itself.
Layer 1: DNS-level filtering
The simplest and most effective network-level control is DNS filtering. Every time a device tries to reach a website, it first asks a DNS server to translate the domain name (like “example.com”) into an IP address. If the DNS server refuses to resolve certain domains, the device simply can’t reach them.
This is invisible to the user — there’s no app to disable, no browser extension to remove. The filtering happens before the connection is even established.
Options for DNS filtering
- NextDNS: Our recommendation for most families. Free for up to 300,000 queries/month (more than enough for most homes), $20/year for unlimited. You choose which categories to block (adult content, malware, social media, gambling, etc.) and can whitelist specific sites. Provides per-device analytics if you set up unique configurations per device or VLAN.
- CleanBrowsing: Free tier that blocks adult content with zero configuration — just point your DNS to their IPs. Paid tiers add customization.
- Cloudflare 1.1.1.3 (Family): Free, blocks malware and adult content. No dashboard, no customization — but zero setup. Just change your DNS server addresses.
- OpenDNS Family Shield: Cisco’s free family filter. Similar to Cloudflare Family — set-and-forget with no customization on the free tier.
How to set it up
You configure DNS at the router level, not per-device. In your router’s DNS settings, replace whatever is there (usually your ISP’s DNS) with the filtering provider’s IP addresses. Every device on the network now uses filtered DNS automatically.
On UniFi specifically: go to Settings → Networks → select the network → DHCP → DNS Server, and enter the filtering DNS addresses. You can set different DNS servers per network/VLAN (more on that below).
Layer 2: Per-VLAN content policies
DNS filtering gets more powerful when combined with VLANs. Instead of one filtering policy for the entire house, you can have different rules for different groups of devices.
A typical setup:
- Main VLAN (parents): Unfiltered DNS or light filtering (malware only). Full internet access.
- Kids VLAN: Filtered DNS (NextDNS with adult content, social media, and gambling categories blocked). Bandwidth limits. Time-of-day scheduling.
- Guest VLAN: Light filtering (malware and phishing). Internet-only, no access to internal devices.
- IoT VLAN: No filtering needed (devices talk to their cloud services and nothing else).
The kids connect to a separate SSID (like “Home-Kids”) that maps to their VLAN. They get filtered DNS, bandwidth limits, and scheduled access — all enforced at the network level. Their devices don’t need any special apps installed.
UniFi’s built-in content filtering
UniFi Network has a built-in content filtering feature that works per-network (VLAN). Under Settings → Security → Content Filtering, you can enable filtering and choose block categories. This uses DNS-based blocking under the hood, similar to NextDNS or CleanBrowsing, but managed directly from the UniFi dashboard.
For families already on UniFi gear, this is the simplest starting point — no third-party service needed. You can enable it on the kids’ network and leave it off on the main network in about two minutes.
If you need more granularity (per-device analytics, custom whitelists, specific domain blocks), NextDNS gives you a more detailed dashboard. But for “block adult content on the kids’ Wi-Fi,” UniFi’s built-in option works out of the box.
Layer 3: Time-of-day scheduling
“No internet after 9 PM” is one of the most requested rules. Network-level scheduling makes this trivial and unbypassable (short of connecting to a neighbor’s Wi-Fi or using cellular data, which are separate problems).
How to implement it
- UniFi: Under Settings → Profiles → Schedule, create a time schedule. Then apply it to a traffic rule that blocks the kids’ VLAN from reaching the internet during off-hours. You can also use the “WiFi Schedule” feature to disable the kids’ SSID entirely during certain hours — the network simply disappears from their device list.
- pfSense / OPNsense: Firewall rules support time-based conditions natively. Create a rule that blocks the kids’ VLAN’s traffic to WAN between 9 PM and 7 AM.
- NextDNS: Also supports time-based rules in its configuration — you can restrict specific categories only during certain hours (e.g., block YouTube after 8 PM but allow it during the day).
The key advantage: this doesn’t depend on the device’s clock (which kids can change on some devices). It’s enforced by the router, which the kids don’t have access to.
Layer 4: Preventing bypasses
DNS filtering has one well-known workaround: a device can use its own DNS server (like 8.8.8.8) instead of the one your router assigns. Some devices do this automatically (Google devices hardcode 8.8.8.8; some apps use DNS-over-HTTPS to bypass local DNS).
The fix is a firewall rule that blocks all DNS traffic (port 53) leaving the network except to your chosen filtering provider. This forces every device to use the filtered DNS — even if it tries to use its own.
On UniFi, this is a traffic rule: block TCP/UDP port 53 from the kids’ VLAN to any destination except the NextDNS (or CleanBrowsing, or UniFi) DNS addresses. Any device that tries to use Google DNS, Cloudflare unfiltered, or a hardcoded DNS server gets blocked.
For DNS-over-HTTPS (DoH) bypass, you can block known DoH providers at the IP level, though this is an arms race. The practical reality: most kids aren’t configuring DoH endpoints. If yours are, you have a different conversation to have.
What this looks like in practice
A typical family setup we deploy:
- Kids’ SSID on its own VLAN with NextDNS filtering (or UniFi content filtering) blocking adult, social media, and gaming categories
- Firewall rule forcing all DNS through the filter (no bypass via alternate DNS)
- Time schedule that blocks internet access on the kids’ VLAN after 9 PM on school nights, 10 PM on weekends
- Bandwidth limit on the kids’ VLAN so their downloading doesn’t crush a parent’s video call
- Parent devices on the main VLAN with no filtering, no schedule, full access
Total ongoing cost: $0–$20/year (NextDNS paid tier, if you want the analytics dashboard). No per-device apps. No subscriptions per child. Works on every device that connects to the kids’ SSID — tablets, laptops, game consoles, smart TVs, friend’s phones.
What network-level controls can’t do
To be clear about limitations:
- They can’t filter within apps. DNS filtering blocks domains, not content within an allowed app. If YouTube is allowed, network filtering can’t block specific videos. For that, you need YouTube Restricted Mode (enforceable via DNS on some providers) or an app-level filter.
- They don’t monitor. Network controls block and schedule. They don’t tell you what your kid searched for or who they messaged. If monitoring is the goal, you still need a device-level tool like Bark.
- They don’t follow the device. When your kid takes their tablet to school or a friend’s house, network controls stop applying. This is where device-level controls complement network-level ones.
- Cellular data bypasses everything. If your kid has a phone with a cell plan, they can turn off Wi-Fi and bypass all network controls. This is a carrier/device-level problem, not a network one.
The layered approach
The best setup combines network-level and device-level:
- Network layer: DNS filtering + scheduling + VLAN isolation. Covers every device on your Wi-Fi, unbypassable without network access.
- Device layer: Apple Screen Time or Google Family Link for monitoring and app-level restrictions. Travels with the device.
Neither layer alone is complete. Together, they cover the gaps in each other.
Bottom line
Router-level parental controls — DNS filtering, per-VLAN policies, and time-of-day scheduling — are more reliable, harder to bypass, and cheaper than per-device apps. They apply to every device on the network without installing anything on the devices themselves. Combined with device-level Screen Time or Family Link for monitoring, they give you practical control without breaking the rest of your network.
Keystone Integration sets up VLAN-segmented networks with parental controls across Saratoga Springs, Eagle Mountain, and Utah County — filtered kids’ networks, scheduled access, DNS enforcement, and the firewall rules that make it all stick. See our full service list on our main site, or get in touch to set up a network your kids can’t out-smart.