Why DNS-based filtering fails first

The proxy interception model

Making the proxy mandatory with a firewall rule

Blocking anonymizer and redirector categories

Extending filtering to mobile devices outside the home

URL blacklist management

CacheGuard as a complete implementation Device-level parental controls — Screen Time, Family Link, router DNS filtering — share a common architectural weakness: they can all be bypassed by routing traffic around the enforcement point. This guide covers a network-level approach that closes those gaps technically. Most home router parental controls work at the DNS layer. The router intercepts DNS queries and returns NXDOMAIN or a block page IP for blacklisted domains. The bypass is trivial: No DNS query hits the router. The filter never sees the request. DNS filtering provides zero protection against a user who controls their own DNS resolver. A forward proxy operating at the HTTP application layer is bypass-resistant by a different mechanism. Traffic must physically pass through the proxy to reach the internet — there is no DNS-level workaround because the proxy intercepts at Layer 7, not Layer 3. In explicit proxy mode, client devices are configured to send all HTTP and HTTPS requests to the proxy. HTTPS connections use the HTTP CONNECT method: The proxy sees the full destination URL in plaintext before any TLS handshake — enabling URL category filtering on HTTPS traffic without SSL decryption. If the destination matches a blocked category, the proxy returns: No content is delivered. No TLS session is established. Explicit proxy mode relies on client configuration — and a determined child can simply remove the proxy settings from their device. The fix is a firewall rule that makes bypassing the proxy impossible: The second rule drops any HTTPS traffic forwarded from internal clients that attempts to bypass the proxy. The client gets a connection timeout. The only path to port 443 on the internet is through the proxy — which applies the content filter. With Squid as the proxy engine, transparent interception for HTTP is straightforward: For HTTPS in transparent mode, SNI-based filtering is possible but limited to hostname-level blocking. For full URL-path filtering on HTTPS, explicit mode with the CONNECT method is required. Web-based proxy and anonymizer services — sites that let users route traffic through external servers — bypass local filtering regardless of proxy enforcement, because the destination URL appears to be a legitimate website. The mitigation is category-based blocking. Most URL category databases include an anonymizer or proxy category. In Squid with SquidGuard: This blocks access to known anonymizer domains before the child can use them to route around the content filter. Home gateway filtering only applies when devices are on the home network. When a child's smartphone switches to mobile data or a friend's hotspot, the gateway is bypassed entirely. The solution is an IPsec VPN server on the home gateway. Client devices connect to the VPN using IKEv2 with the gateway's certificate, routing all traffic through the home network — and through the web proxy — regardless of the underlying connection. StrongSwan server configuration (relevant excerpt): The leftsubnet=0.0.0.0/0 directive routes all client internet traffic through the VPN tunnel — not just traffic destined for the home network. Once the VPN client connects, all outbound traffic hits the gateway proxy and is filtered identically to home network traffic. Enforcing always-on VPN on client devices: On iOS, a configuration profile with OnDemandEnabled=1 and OnDemandRules set to activate on any network connection enforces the VPN without user interaction. The profile can be locked via Mobile Device Management or restricted using Screen Time's VPN settings control. On Android, Settings → Network → VPN → [profile] → Always-on VPN with Block connections without VPN enabled drops all traffic if the VPN is not active — no internet access without the tunnel. The content filter requires a category database mapping URLs to content categories. Options range from free community-maintained lists to commercially updated subscription databases. For a home deployment, the choice matters primarily on two dimensions: coverage (how many URLs are categorized, particularly for adult content) and update frequency (how quickly newly registered adult/malicious domains are added). Free lists are adequate for blocking well-established categories but lag significantly on newly registered domains — a common technique used to evade filters. A subscription database with daily or hourly updates provides meaningfully better coverage for the adult content category specifically. CacheGuard is a free, open-source network security appliance (LFS-based Linux) that ships all of the above pre-integrated: It installs from a single ISO on any x86 machine or VM. The firewall rules enforcing mandatory proxy use and blocking direct HTTPS forwarding are configurable through the web interface without writing iptables commands manually. For parents who are comfortable with basic network concepts but do not want to assemble Squid, StrongSwan, iptables, and a PKI from scratch, it eliminates the integration overhead while remaining fully open source and free. → https://www.cacheguard.com/parental-controls-home-network/ Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse