DSL/Wi-Fi routers

Router Setup

Router with Static IP address configuration

1. Go to SafeDNS Dashboard > Settings > Devices and copy your IP address to the "IP addresses / DynDNS" box, choose a policy, and click "Add".1.Router.png

2. Change your router’s DNS servers to SafeDNS addresses - 195.46.39.39 and 195.46.39.40

1.Router Setup Guide (IPv4).png

You have successfully configured your router.

Please note that settings take 5-7 minutes to apply.
Stats and filtering status update every 10 minutes.


Router with Dynamic IP address configuration

In case you have a Dynamic IP address, you need to configure the DynDNS/DDNS on the router using a Dynamic DNS service.

Most modern routers provide their own DynDNS services. We recommend using them.

Here's an example of the DynDNS menu on the TP-Link router with the TP-Link service provider:

Screenshot_82.png

You only need to create a DynDNS record in the router interface. Then skip to Step 6 below. 



If your router does not have its own DynDNS service provider, we recommend using third-party NO-IP DynDNS.

1. In the router setting, go to DynDNS/DDNS settings,

3.Router Setup Guide (IPv4).png

2. Check the DynDNS service available for your router. If available, we recommend using the No IP DynDNS service provider.

3. Go to the website noip.com and sign up.

4.Router Setup Guide (IPv4).png

4. In your No-IP account, create a hostname (any name you can think of).

5.Router Setup Guide (IPv4).png6.Router Setup Guide (IPv4).png

7.Router Setup Guide (IPv4).png

5. Go back to your router and configure DDNS/DynDNS.

If everything is correct, DynDNS/DDNS settings will apply.

9Router Setup Guide (IPv4).png

6. Go to SafeDNS Dashboard > Settings > Devices and copy your DynDNS hostname to the "IP addresses / DynDNS" box, choose a policy, and click "Add".2.Router.png

Once added, you will see it in the DynDNS section of the Dashboard.

3.Router.png

7. Change your router’s DNS servers to SafeDNS addresses - 195.46.39.39 and 195.46.39.40

1.Router Setup Guide (IPv4).png

You have successfully configured your router.

Please note that settings take 5-7 minutes to apply.
Stats and filtering status update every 10 minutes.


Configuring the filter using the DDclient.

In rare cases when your router does not have a DynDNS/DDNS setting and your IP is Dynamic,  you need to use third-party software - DDclient - on the PC connected to the network:

1. Install DDclient on a PC connected to the network. Once DDclient is installed, all devices connected to the same network will be filtered by the same rules.

2. Set up DNS servers in your router:

12.Router Setup Guide (IPv4).png


 


Router Setup (IPv6)

Router with static IP address configuration

Go to SafeDNS Dashboard > Settings > Devices and copy your IP address to the "IP addresses / DynDNS" box, choose a policy, and click "Add".

We recommend adding the whole IPv6 router subnet - first 4 segments with /64 at the end. Example: 2600:1005:b062:61e4::/64 instead of 2600:1005:b062:61e4:1111:2222:3333:4444.

1.Router_ipv6.png

2. Change your router’s DNS servers to SafeDNS addresses - 2001:67c:2778::3939 and 2001:67c:2778::3940

Open the router’s settings page, click the "Advanced" tab, and choose IPv6 in the left menu. Choose "IPv6 setup" and type in SafeDNS IPv6 addresses.

1.Router Setup Guide (IPv6).png

You have successfully configured your router.

Please note that settings take 5-7 minutes to apply.
Stats and filtering status update every 10 minutes.


Router with Dynamic IP address configuration

In case you have a Dynamic IP address, you need to configure the DynDNS/DDNS on the router using a Dynamic DNS service.

Most modern routers provide their own DynDNS services. We recommend using them.

Here's an example of the DynDNS menu on the TP-Link router with the TP-Link service provider:

Screenshot_82.png

You only need to create a DynDNS record in the router interface. Then skip to Step 6 below. 



If your router does not have its own DynDNS service provider, we recommend using third-party NO-IP DynDNS.

1. In the router setting, go to DynDNS/DDNS settings.

3.Router Setup Guide (IPv6).png

2. Check the DynDNS service available for your router. If available, we recommend using the No-IP DynDNS service provider.

4.Router Setup Guide (IPv6).png

3. Go to the website noip.com and sign up.

5.Router Setup Guide (IPv6).png

4. In your No-IP account, create a hostname (any name you can think of).

6.Router Setup Guide (IPv6).png

5. Choose the IPv6 type and create the hostname. Make sure that the "IPv6 Address" field is containing your IPv6 address:7.Router Setup Guide (IPv6).png

6. Go back to your router and configure DDNS/DynDNS

7. Go to SafeDNS Dashboard -> Settings -> Devices and copy your DynDNS hostname to the "IP addresses / DynDNS" box, choose a policy, and click "Add".

10.Router Setup Guide (IPv6).png

Once added, you will see it in the DynDNS section of the Dashboard.

2.Router_ipv6.png

8. Change your router’s DNS servers to SafeDNS addresses - 2001:67c:2778::3939 and 2001:67c:2778::3940

Open the router’s settings page, click the "Advanced" tab, and choose IPv6 in the left menu. Choose "IPv6 setup" and type in SafeDNS IPv6 addresses.

1.Router Setup Guide (IPv6).png

You have successfully configured your router.

Please note that settings take 5-7 minutes to apply.
Stats and filtering status update every 10 minutes.


Configuring the filter using the DDclient

In rare cases when your router does not have a DynDNS/DDNS setting and your IP is Dynamic, you need to use third-party software - DDclient - on the PC connected to the network:

1. Install DDclient on a PC connected to the network. Once DDclient is installed, all devices connected to the same network will be filtered by the same rules.

2. Set up DNS servers in your router:

12.Router Setup Guide (IPv6).png

Keenetic Router Setup

SafeDNS service in Keenetic routers is implemented as an operating system component. You can add or remove this Internet Safety service from the system and turn it on or off completely, without affecting the parameters of the main Internet connection: SafeDNS will work behind any NAT and with a dynamic IP address.

It is not possible to run SafeDNS, Cloudflare DNS, and AdGuard DNS services at the same time. Only one of them can be used.

Before setting up the Internet safety service, register your home network devices according to the instruction Connected devices registration.

Setup

1. Select "SafeDNS" in the 'Service' field on the "Internet safety" page.

1.Keenetic Router Setup Guide.png

2. Enter your SafeDNS account's parameters by clicking "Log in" in the "SafeDNS account" section. If you do not have a SafeDNS account yet, click "Create account".

2.Keenetic Router Setup Guide.png

3. Enter your SafeDNS account e-mail/login and password.

3.Keenetic Router Setup Guide.png

4. Assign filtering policies in the "Assignment of protection policies to devices" section.

You can assign filtering policies to permanent home network devices (registered in Keenetic) and the default policy for all unregistered devices.

4.Keenetic Router Setup Guide.png

Your devices connected to the Keenetic router are now filtered with the assigned SafeDNS filtering policies.

Please note that settings take 5-7 minutes to apply.
Stats and filtering status update every 10 minutes.

Asus and Asuswrt-Merlin Router Setup

Router with Static IP address configuration

1. Go to SafeDNS Dashboard > Settings > Devices and copy your IP address to the "IP addresses / DynDNS" box, choose a policy, and click "Add".

1.Asus and Asuswrt.png

2. Open a browser and type in the Default Gateway address into your browser's URL address bar. By default, it is 192.168.1.1

Screenshot_111.png

Your router might have a different Default Gateway IP address. Check the backside of your router to find the Default Gateway IP address of your particular router.

3. Once you log in, click on the WAN tab in the Advanced Settings section.

Screenshot_112.png

4. You will find the WAN DNS Settings tab there. Press on the NO option next to Connect to DNS server automatically.

Screenshot_113.png

5. In the DNS Server1 and DNS Server2 tabs, enter the following DNS addresses:

6. To save the changes, press Apply and restart your router.

Screenshot_114.png

In the Asus router, it's possible to force DNS traffic through port 53. These are the steps:
   1. Click on WAN and go to Port trigger.
   2. Enable the Port trigger.
   3. In the section trigger port list enter:
       name: SafeDNS
       trigger port: 53
       protocol: TCP
       incoming port: 53
       protocol: UDP
   4. Click Add and Apply.
By blocking port 53, all devices connected to the router will be forced to use the SafeDNS servers.

You have successfully configured your router.

Please note that settings take 5-7 minutes to apply.
Stats and filtering status update every 10 minutes.


Router with Dynamic IP address configuration

In case you have a Dynamic IP address, you need to configure the DynDNS/DDNS on the router using a Dynamic DNS service.

 

Most modern routers provide their own DynDNS services. We recommend using them.

If your router does not have its own DynDNS service provider, we recommend using third-party NO-IP DynDNS.

1. Check the DynDNS service available for your router. If available, we recommend using the No IP DynDNS service provider.

2. Go to the website noip.com and sign up.

4.Router Setup Guide (IPv4).png

3. In your No-IP account, create a hostname (any name you can think of).

5.Router Setup Guide (IPv4).png6.Router Setup Guide (IPv4).png

7.Router Setup Guide (IPv4).png

4. Go back to your router and configure DDNS/DynDNS.

If everything is correct, DynDNS/DDNS settings will apply.

5. Go to SafeDNS Dashboard > Settings > Devices and copy your DynDNS hostname to the "IP addresses / DynDNS" box, choose a policy, and click "Add".

2.Asus and Asuswrt.png

Once added, you will see it in the DynDNS section of the Dashboard.

3.Asus and Asuswrt.png

6. Open a browser and type in the Default Gateway address into your browser's URL address bar. By default, it is 192.168.1.1

Screenshot_111.png

Your router might have a different Default Gateway IP address. Check the backside of your router to find the Default Gateway IP address of your particular router.

7. Once you log in, click on the WAN tab in the Advanced Settings section.

Screenshot_112.png

8. You will find the WAN DNS Settings tab there. Press on the NO option next to Connect to DNS server automatically.

Screenshot_113.png

9. In the DNS Server1 and DNS Server2 tabs, enter the following DNS addresses:

10. To save the changes, press Apply and restart your router.

Screenshot_114.png

In the Asus router, it's possible to force DNS traffic through port 53. These are the steps:
   1. Click on WAN and go to Port trigger.
   2. Enable the Port trigger.
   3. In the section trigger port list enter:
       name: SafeDNS
       trigger port: 53
       protocol: TCP
       incoming port: 53
       protocol: UDP
   4. Click Add and Apply.
By blocking port 53, all devices connected to the router will be forced to use the SafeDNS servers.

You have successfully configured your router.

 

Please note that settings take 5-7 minutes to apply.
Stats and filtering status update every 10 minutes.


Asuswrt-Merlin DNS Director

This part of the article contains information for Asus routers with custom firmware Asuswrt-Merlin.

Asuswrt-Merlin is a third-party alternative firmware for Asus routers (official page).
List of the supported devices - here.

DNS Director is a feature that allows you to force specific devices on your network to use specific DNS. This can be done globally, or on a per-device basis. Each of them can have a different nameserver enforced.

For example, you can have your LAN use a custom DNS server, but force your children's devices to use SafeDNS filtering.
Safe Family and Business plans users can group devices in up to 6 groups and filter them with different policies using the NAT DNS feature.

The configuration can be found in the DNS Director tab, located in the LAN section:

Screenshot_116 copy.png


Configuring the filter using the DDclient

In rare cases when your router does not have a DynDNS/DDNS setting and your IP is Dynamic,  you need to use third-party software - DDclient - on the PC connected to the network:

1. Install DDclient on a PC connected to the network. Once DDclient is installed, all devices connected to the same network will be filtered by the same rules.

2. Set up DNS servers in your router:

Screenshot_113.png

Unifi/Ubiquiti Router Setup

Router with Static IP address configuration


1. Go to SafeDNS Dashboard > Settings > Devices and copy your IP address to the "IP addresses / DynDNS" box, choose a policy, and click "Add".

1.Unifi:Ubiquiti.png

2. Start the Unifi Controller Application and wait for the load. Once it is loaded, start the browser.
3. Open the Settings menu from the Dashboard:

image-1679334506204.png

4. Browse the Networks menu and select the option either Create New Network or Edit. It depends on the requirements, if you are creating a new setup, there might be no networks created – then you need to create a new network. If you are starting to use SafeDNS on the existing network – then select the Edit option:

image-1679334535779.png

The following configuration can be used as an example of your Local Network setup.

5. Set the following DHCP Name Server addresses: 195.46.39.39 and 195.46.39.40

image-1679334563582.png

6. After adding SafeDNS Name Servers, Press the Save button and wait for the provisioning process of the Unifi access points – it may take a while.

You have successfully configured your router.

Please note that settings take 5-7 minutes to apply.
Stats and filtering status update every 10 minutes.


Router with Dynamic IP address configuration

In case you have a Dynamic IP address, you need to configure the DynDNS/DDNS on the router using a third-party Dynamic DNS service.

1. In the router setting, go to DynDNS/DDNS settings.3.Router Setup Guide (IPv4).png

2. Check the DynDNS service available for your router. If available, we recommend using the No IP DynDNS service provider.

3. Go to the website noip.com and sign up.4.Router Setup Guide (IPv4).png

4. In your No-IP account, create a hostname (any name you can think of).5.Router Setup Guide (IPv4).png6.Router Setup Guide (IPv4).png7.Router Setup Guide (IPv4).png

5. Go back to your router and configure DDNS/DynDNS.

8.Router Setup Guide (IPv4).png

If everything is correct, DynDNS/DDNS settings will apply.9Router Setup Guide (IPv4).png

6. Go to SafeDNS Dashboard > Settings > Devices and copy your DynDNS hostname to the "IP addresses / DynDNS" box, choose a policy, and click "Add".2.Unifi:Ubiquiti.png

Once added, you will see it in the DynDNS section of the Dashboard.3.Unifi:Ubiquiti.png

7. Start the Unifi Controller Application and wait for the load. Once it is loaded, start the browser.
8. Open the Settings menu from the Dashboard:

image-1679334506204.png

9. Browse the Networks menu and select the option either Create New Network or Edit. It depends on the requirements, if you are creating a new setup, there might be no networks created – then you need to create a new network. If you are starting to use SafeDNS on the existing network – then select the Edit option:

image-1679334535779.png

The following configuration can be used as an example of your Local Network setup.

10. Set the following DHCP Name Server addresses: 195.46.39.39 and 195.46.39.40

image-1679334563582.png

11. After adding SafeDNS Name Servers, Press the Save button and wait for the provisioning process of the Unifi access points – it may take a while.

You have successfully configured your router.

Please note that settings take 5-7 minutes to apply.
Stats and filtering status update every 10 minutes.

Configuring the filter using the DDclient.

In rare cases when your router does not have a DynDNS/DDNS setting and your IP is Dynamic,  you need to use third-party software - DDclient - on the PC connected to the network:

1. Install DDclient on a PC connected to the network. Once DDclient is installed, all devices connected to the same network will be filtered by the same rules.

2. Set up DNS servers in your router:

image-1679334749750.png

Verizon Router Setup

Router with Static IP address configuration

1. Go to SafeDNS Dashboard > Settings > Devices and copy your IP address to the "IP addresses / DynDNS" box, choose a policy, and click "Add".

1.Verizon Router.png

2. Locate the network configuration on your router and set the SafeDNS server- 195.46.39.39 and 195.46.39.40
To do that, click on the icon My Network and browse the Network Connection option:

image-1679334841427.png

My Network > Network Connections


3. Locate in the connection list the Broadband Connection with the status: Connected:

image-1679334863899.png

On the next screen locate the Settings button and press it:

image-1679334880774.png


4. Change the DNS server option by selecting the “Use the Following DNS Server Addresses”

image-1679334900507.png

5. Once the option is changed, the fields are activated where you can set the SafeDNS DNS servers:

image-1679334915568.png

195.46.39.39 and 195.46.39.40.

You have successfully configured your router.

 

Please note that settings take 5-7 minutes to apply.
Stats and filtering status update every 10 minutes.

Mikrotik Router Setup

Router with Static IP address configuration


Go to SafeDNS Dashboard > Settings > Devices and copy your IP address to the "IP addresses / DynDNS" box, choose a policy, and click "Add".

Screenshot_124.png

2. Change your router’s DNS servers to SafeDNS addresses - 195.46.39.39 and 195.46.39.40
To do that, open the configuration page of the Mikrotik router, and browse the following option:
Menu > IP >DHCP Server > Networks

image-1679334312313.png

3. Select the “Network” used by the DHCP server and change/add the SafeDNS addresses - 195.46.39.39 and 195.46.39.40. Replace the DNS servers if there was configured any:

image-1679334344734.png

You have successfully configured your router.

Please note that settings take 5-7 minutes to apply.
Stats and filtering status update every 10 minutes.


Router with Dynamic IP address configuration

Mikrotik Routers has the embedded feature of the Dynamic DNS setup named VPN Access.
It can be activated easily from the router with no configuration needed on any DDNS service.

1. Open the main page of the router – the Quick Set Menu and scroll down to the VPN setup:

image-1679334382392.png


2. Activate the VPN access and set the VPN Password. Click the button Apply Configuration in order to save and activate the settings. Copy the VPN address to the clipboard.

3. Go to SafeDNS Dashboard > Settings > Devices paste the VPN address the "IP addresses / DynDNS" box, choose a policy, and click "Add".

1.routermikro.png

Once added, you will see it in the DynDNS section of the Dashboard.

2.routermikrotik.png

4. Change your router’s DNS servers to SafeDNS addresses - 195.46.39.39 and 195.46.39.40
To do that, open the configuration page of the Mikrotik router, and browse the following option:
Menu > IP >DHCP Server > Networks

image-1679334312313.png

5. Select the “Network” used by the DHCP server and change/add the SafeDNS addresses - 195.46.39.39 and 195.46.39.40. Replace the DNS servers if there was configured any:

image-1679334344734.png

You have successfully configured your router.

Please note that settings take 5-7 minutes to apply.
Stats and filtering status update every 10 minutes.


DoH setup

DoH is supported on all paid plans.
DoH links with policy are available on Education & Non-Profit, Pro, and Pro Plus plans only.

MikroTik router allows to set up DoH connection to SafeDNS.

With this setup, all devices connected to the network with IP address added in the SafeDNS Dashboard will be filtered with the selected policy.
If IP address of the router is changed, you need to add a new IP address in the SafeDNS Dashboard.

Navigate to SafeDNS Dashboard > Settings > Devices, copy your IP address to the "IP addresses/DynDNS" box, choose a policy, and click "Add".

Screenshot_124.png

In the MikroTik router:
1. Navigate to IP > DNS, enter "https://doh.safedns.com/" in the Use DoH Server field, untick Verify DoH Certificate, and save the changes.

Screenshot_126.png

After that, all devices connected to the network with IP address added in the SafeDNS Dashboard will be filtered with the selected policy.

2. Indicate our DNS IP address 195.46.39.39 in DNS Settings:
mikrotik_1.png

3. In Network Settings, each subnet that needs DoH filtering must have the Gateway IP address configured as the DNS Servers:

mikrotik_2.png

With this setup, all devices connected to the router will be filtered with the selected policy.
Router is identified by the policy token in the link. If the IP address of the router changes, it will not affect the filtering.

1. Navigate to SafeDNS Dashboard > Settings > Policy, and copy the DoH link with the policy.

Screenshot_127.png

2. In the MikroTik router, navigate to IP > DNS, enter the copied link in the Use DoH Server field, untick Verify DoH Certificate, and save the changes.

Screenshot_128.png
3. Follow the steps 2 and 3 from DoH link without policy.

After that, all devices connected to the router will be filtered with the selected policy.

OpenWRT Router Setup

If you have static IP or use a DynDNS service you can set up SafeDNS on your OpenWRT router just like any other router using this guide.

Only OpenWRT versions 17 or lower are supported.

  1. Setup DDNS client. Select in menu System > Software.

    1.OpenWRT Router Setup Guide.png


2. Click Update lists.

2.DD-WRT Router Setup Guide.png

3. Type luci-app-ddns in Download and install package and click OK.

3.OpenWRT Router Setup Guide.png


4.OpenWRT Router Setup Guide.png

4. Click Status in the menu to refresh the menu. New item Services and subitem Dynamic DNS will appear in the menu.

5.OpenWRT Router Setup Guide.png

5. Fill out the form on page Dynamic DNS:

6. Enable and start DDNS service.

7. Select in menu System > Startup

6.OpenWRT Router Setup Guide.png


8. Click the Disabled button for ddns service, then click Start.

7.OpenWRT Router Setup Guide.png

9. Check the string appearing in the system log (Status > System log):

user.notice ddns-scripts-myddns: Update successful

10. Navigate to Network > Interfaces, WAN.

11. In Use custom DNS servers add 195.46.39.39 and 195.46.39.40. Click Save & Apply.

After that, you can continue configuring your filtering options in the SafeDNS Dashboard.

Please note that settings take 5-7 minutes to apply.
Stats and filtering status update every 10 minutes.

DD-WRT Router Setup

If you have static IP or use a DynDNS service, you can set up SafeDNS on your DD-WRT router just like any other router using this guide.

Alternatively, you can configure the SafeDNS filter on a DD-WRT router using its native firmware:

1. Go to the “Setup” tab > “Basic setup” > find the section “Network Address Server Settings” and set 195.46.39.39 and 195.46.39.40 as DNS servers.
image1.png

Select the "Forced DNS Redirection" to force all DNS requests from the network to use SafeDNS servers, even if the end device has custom DNS servers.

2. In the "WAN Setup" section check the "Ignore WAN DNS" option.
DDWRT-WAN.png

3. Go to the DDNS tab.
4. Select Custom for DDNS Service type.
5. Type in www.safedns.com in the DYNDNS Server field.
6. Type in your login (email) from the SafeDNS account in the User Name field.
7. Type in your password in the Password field.
8. Type in any name (hostname) in the Host field.
9. Type in /nic/update?hostname= in the URL field.
10. Save and apply settings.

2.DD-WRT Router Setup Guide.png

If all settings are correct, you will see the successful update of your address in the DDNS Status block.

After that, you can continue configuring your filtering options in the SafeDNS Dashboard.

Please note that settings take 5-7 minutes to apply.
Stats and filtering status update every 10 minutes.

Huawei iMaster NCE Campus Setup


Prerequisites

  1. Sign up for a Reseller account by contacting the SafeDNS Sales team (sales@safedns.com).
  2. Create a sub-account for each tenant or group of tenants, implementing the multi-tenant capability of SafeDNS.
  3. Configure the filtering rules for each tenant.
  4. Receive the public Subscription API key from the SafeDNS manager.
    To read more about API methods, please check the Subscription API documentation.

Setup

Connect a SafeDNS account to iMaster NCE controller

Screenshot_245.png

  1. Navigate to System > System Settings > Third-Party Service > DNS Interconnection Parameters.
  2. Fill information in the following fields:
    • DNS IP-Address Main: 195.46.39.39
    • DNS IP-Address Secondary: 195.46.39.40
    • Account: sub-account to connect to SafeDNS
    • Public key: public Subscription API key

Activate URL-Filtering
  1. Select a site in iMaster NCE controller, on which you want to use URL Filtering
  2. Navigate to Provision > Physical Network > Site Configuration.
  3. Select a site from the site drop-down list in the upper left corner.
  4. Navigate to the Site Configuration tab.
  5. Navigate to AP > Advanced.
  6. Enable DHCP.
  7. Set DHCP server parameters.
  8. Enable Third-party URL Filtering.

Screenshot_246.png


(Optional) Update TLS certificate

A SafeDNS certificate is used for unidirectional authentication between iMaster NCE-Campus and a third-party SafeDNS server.
This operation is involved in URL filtering by SafeDNS.

By default, the SafeDNS certificate is preinstalled on iMaster NCE-Campus.

Contact SafeDNS if you need an updated certificate.

  1. Log in to iMaster NCE Campus as the system administrator.
  2. Navigate to System > System Management > Certificate Management.
  3. Select Service Certificate Management
    Screenshot_247.png
  4. Select CampusCfgService_SafeDNS.
  5. Click on the Trust Certificate tab.
  6. Click Import.
    Screenshot_248.png
  7. Set Certificate Format to DER.
  8. Select the certificate file and click Submit.
  9. Wait for 2 minutes.
  10. Restart the CampusCfgService service for the certificate to apply:
    1. Log in to the management panel.
    2. Navigate to Product > System Monitoring > Service tab.
    3. Search for CampusCfgService.
    4. Select the service.
    5. Click Stop.
    6. Click Start.
  11. Log in to the iMaster NCE Campus and check whether the certificate file is successfully uploaded to the following path: /opt/oss/NCECAMPUS/apps/CampusCfgService/controller/configuration/safedns


Comcast Xfinity Router Setup

Most Xfinity routers for both residential and business users come with the firmware that intercepts all DNS requests. Even if DNS addresses are changed, the router will continue redirecting DNS requests to Comcast servers.


Business users

For business users, DNS interception is controlled by the Security Edge feature that can be disabled in your account on the Comcast for Business portal.


Residential users

Unfortunately, residential users can not disable DNS interception on Xfinity routers.

However, there are several possible solutions on how to bypass DNS interception.

Solution 1 - connect a third-party router

Connecting a third-party router to Xfinity router will create a secondary network in which you have full control over router's settings. After that, set up the third-party router using this guide for routers and connect all your devices to it.

Solution 2 - install SafeDNS Agent on devices

The Agent is available on the following billing plans: Safe Family, Pro, Pro Plus, and archived Safe@Home, Safe@Office.

Alternatively, you can install SafeDNS Agents on all devices that require filtering. SafeDNS Agent works in any network.

Windows, Mac, Linux, Android

If you have installed SafeDNS Agent and the filtering doesn't work correctly, please check the parental control feature:

  1. Log into Xfinity dashboard.
  2. Navigate to Network.
  3. Select your gateway/router.
  4. Select device you need to remove parental controls from.
    Unfortunately, this setting has to be disabled for each device separately.
  5. Scroll down to the Assigned to panel and click on the cogwheel icon.
  6. Click on the parental control option.
  7. Select Off and click Apply Changes.
Solution 3 - use OpenVPN for filtering on devices

The filtering can be set up using a third-party application OpenVPN on all devices that require filtering.

Please follow this guide for OpenVPN setup.

Solution 4 - use DNS-over-HTTPS

Please follow this guide for DoH setup.

Starlink router setup

DNS configuration with a static IP address

1. Go to SafeDNS Dashboard > Settings > Devices and copy your IP address to the "IP addresses / DynDNS" box, choose a policy, and click "Add".

image-1727269632094.png

2. Change your router’s DNS servers to SafeDNS addresses - 195.46.39.39 and 195.46.39.40

To change the DNS settings on a Starlink router, follow these steps:
  1. Connect to the Starlink Network.

  2. Access the Starlink App: Open the Starlink app on your smartphone or tablet. If you don’t have the app, you can download it from the App Store (iOS) or Google Play Store (Android).

  3. Log In: Log in to your Starlink account.

  4. Navigate to SETTINGS > Select CUSTOM DNS.

    image-1727269134892.png


  5. Enable Custom DNS. Toggle 'Enable Custom DNS' to On.

    image-1727269271364.png

  6. Enter Custom DNS: Indicate 195.46.39.39 as primary and 195.46.39.40 as secondary IP addresses.

    image-1727269302493.png

  7. Save Changes.

Please note that settings take 5-7 minutes to apply.
Stats and filtering status update every 10 minutes.

Meraki Router Setup

Router with Static IP address configuration

1. Go to SafeDNS Dashboard > Settings > Devices and copy your IP address to the "IP addresses / DynDNS" box, choose a policy, and click "Add".

Meraki_router.png

2. Change your router’s DNS servers to SafeDNS addresses:

To do that, on the Meraki Dashboard, navigate to Security & SD-WAN > Configure > DHCP > Main subnet/VLAN ID >  DNS nameservers and choose Specify nameservers... from the drop-down.

In the "Custom nameservers" field indicate SafeDNS addresses − 195.46.39.39 and 195.46.39.40
Meraki_router1.png

You have successfully configured your router.

Please note that settings take 5-7 minutes to apply.
Stats and filtering status update every 10 minutes.

Router with Dynamic IP address configuration

Using Meraki Built-in Dynamic DNS.

1. Once on the Security & SD-WAN > Monitor > Appliance status page, select the pencil icon next to Hostname, located between the WAN IP and Serial Number on the left of the page.
Meraki_router4.png

A dialog box will appear for configuring Dynamic DNS. Select Enabled in the dialog box and enter a public domain name if necessary, then select Update.

Meraki_router5.png

2. Go to SafeDNS Dashboard > Settings > Devices and copy the DynDNS hostname of the needed WAN to the "IP addresses / DynDNS" box, choose a policy, and click "Add".
Meraki_router2.png

Once added, you will see it in the DynDNS section of the Dashboard.

Meraki_router3.png

After DynDNS is enabled, you can confirm it is working by performing a DNS query for the MX DDNS hostname. Open a command prompt (cmd) on any workstation and type "nslookup <your dynamic DNS name>." The DNS response should return the current active public IP address.