How can we help?

Point your network's DNS to our anycast resolvers:

Primary / Secondary

• Primary: 3.12.124.91
• Secondary: 3.12.124.91

DNS-over-HTTPS (DoH)

• https://api.dnsafe.net/dns-query

DNS-over-TLS (DoT)

• api.dnsafe.net — port 853

These are shared resolvers. For a dedicated resolver tied to your policy, generate one in the portal under Settings → Resolvers.

1. In the portal go to Settings → Network Locations and click Add Location.
2. Enter a name and your network's public IP range (CIDR notation, e.g. 203.0.113.0/24).
3. Assign a policy to the location.
4. Update your router or firewall DNS settings to point to the resolver IPs above.

Policy enforcement begins as soon as the DNS change propagates (usually under 5 minutes).

The roaming client protects devices when they're off your network (laptops on coffee shop Wi-Fi, etc.).

Steps

1. Download the agent from the portal: Settings → Roaming Clients → Download.
2. Run the installer with administrator privileges.
3. Enter your Organisation Token when prompted (found in Settings → Organisation).
4. The agent registers itself and begins enforcing your default roaming policy.

The client is available for Windows 10/11 and macOS 12+. Linux support is via manual config — see the DNS-over-TLS setup guide.

Policy changes apply within 60 seconds on average. The portal shows a "syncing" indicator while propagation is in progress. If you're testing, flush your local DNS cache (ipconfig /flushdns on Windows, sudo dscacheutil -flushcache on macOS) to see changes immediately.

• Policy — a set of rules (categories to block, allow-list domains, custom rules). Think of it as the rulebook.
• Location — a network or device group (identified by IP range or roaming agent token). Think of it as the thing the rulebook is applied to.

One policy can be assigned to many locations. Each location can only have one active policy at a time.

Go to Logs in the portal. You can filter by:

• Action: blocked / allowed
• Location, policy, or specific domain
• Time range (last 15m, 1h, 24h, 7d, custom)

Logs are retained for 30 days on Starter, 90 days on Growth, and 1 year on Enterprise.

Yes. Go to Settings → Team Members → Invite. Enter the email address and choose a role:

• Owner — full access including billing and team management.
• Admin — full policy and location management, no billing access.
• Viewer — read-only access to logs and dashboards.

Invitees receive an email with a sign-up link. Multi-user access is available on Growth and Enterprise plans.

In the Meraki dashboard: Security & SD-WAN → Addressing & VLANs → DNS. Set primary to 3.12.124.91 and secondary to 3.12.124.91. Apply to all VLANs that should be filtered. Changes take effect on the next DHCP lease renewal for clients.

Chrome / Edge

Settings → Privacy and Security → Security → Use Secure DNS → enter https://api.dnsafe.net/dns-query.

Firefox

Settings → General → Network Settings → Enable DNS over HTTPS → Custom → enter the same URL.

Note: browser-level DoH bypasses OS/router DNS, so it applies only to that browser.

Yes. Configure your internal DNS server (Windows DNS Server, BIND, etc.) to forward external queries to DNSAFE resolvers. Your internal zones resolve locally; everything else gets filtered by DNSAFE. Conditional forwarding for your internal domains should point to your domain controller, not DNSAFE.

Use our Dynamic IP Updater. In the portal under Settings → Network Locations, enable Dynamic IP for the location. You'll get a unique update URL. Configure your router's DDNS client (or a cron job) to hit that URL whenever your IP changes. Alternatively, use the roaming client on devices instead of a network location.

• Standard DNS: UDP/TCP 53
• DNS-over-TLS: TCP 853
• DNS-over-HTTPS: TCP 443
• Roaming agent check-in: TCP 443 (HTTPS)

Ensure outbound traffic on these ports is allowed through your firewall to *.dnsafe.net.

Windows 10/11

Settings → Network & Internet → Change adapter options → right-click your connection → Properties → Internet Protocol Version 4 (TCP/IPv4) → Properties → Use the following DNS server addresses → enter 3.12.124.91.

macOS

System Settings → Network → select your connection → Details → DNS tab → click + and add 3.12.124.91. Remove any existing entries from your ISP.

iOS (iPhone / iPad)

Settings → Wi-Fi → tap the ⓘ next to your network → Configure DNS → Manual → remove existing servers and add 3.12.124.91. For DoH, visit dnsafe.net/check and tap Install DNS Profile.

Android 9+

Settings → Network & internet → Private DNS → select "Private DNS provider hostname" → enter 3.12.124.91. This uses DNS-over-TLS automatically.

Router (general)

Log into your router admin panel (usually 192.168.1.1 or 192.168.0.1) → WAN/Internet Settings → DNS → Primary: 3.12.124.91. This protects all devices on the network at once.

In the portal: Policies → [your policy] → Allow List → Add Domain. Enter the domain (e.g. example.com) — subdomains are included automatically. The allow list overrides all category blocks.

You can also allow from the Logs view: find the blocked entry, click the domain, and select Add to Allow List.

Policies → [your policy] → Block List → Add Domain. Custom block list entries override category rules, so a domain allowed by default can be blocked here. Wildcards are supported: *.ads.example.com.

DNSAFE classifies domains into 80+ categories including: Security categories (malware, phishing, C2, cryptomining) are enabled on all plans. Content categories require Growth or Enterprise.

Yes. Under Settings → Block Page you can customise the block page with your logo, company name, and a custom message. Enterprise plans can fully redirect to their own HTTPS block page via CNAME.

Enable these in Policies → [policy] → Content Controls. DNSAFE enforces SafeSearch by returning the restricted CNAME for Google, Bing, and DuckDuckGo. YouTube Restricted Mode is enforced at the DNS level by returning YouTube's restrict endpoint. Both work without any software on client devices.

ThreatGrid is DNSAFE's threat intelligence engine. It aggregates feeds from 40+ threat intelligence sources, our own DNS telemetry, and a real-time DGA (Domain Generation Algorithm) detector to classify and score domains. Domains with a high threat score are blocked automatically, even before traditional feed updates. ThreatGrid scores update every 15 minutes.

Yes — Policy Schedules are available on Growth and Enterprise. Under Policies → Schedules, define time windows and assign alternate policies. For example: strict policy 9am–5pm Mon–Fri, relaxed policy evenings and weekends.

Newly Registered Domains are domains registered within the last 30 days. Attackers frequently register fresh domains for phishing, malware delivery, and spam campaigns precisely because they have no reputation history. DNSAFE's NRD category flags these automatically.

Blocking NRDs is highly recommended for business and MSP environments. For home users it's optional — very occasionally a legitimate new service may be on an NRD. You can always add allow-list exceptions for specific domains you trust.

In the partner portal go to Tenants → Add Tenant. Enter the client name and assign a plan. The tenant is provisioned instantly and you'll be dropped into that tenant's dashboard. Each tenant has full policy, location, and log isolation.

MSP partners are billed monthly based on total active seats across all tenants. You set your own resale price to clients — DNSAFE doesn't dictate end-user pricing. Your invoice consolidates all tenants into a single line item with a per-seat breakdown. Margins typically run 60–70% depending on your resale tier.

Yes. Each tenant can have one or more admin users who access only their own tenant's data at portal.dnsafe.net. They cannot see other tenants or MSP-level settings. You control whether clients can modify their own policies or just view reports.

Yes. The DNSAFE REST API supports full tenant lifecycle management — create, update, suspend, and delete tenants; manage policies and locations; pull logs and stats. See the full reference at api.dnsafe.net/docs. Generate API keys under Settings → API Keys.

The Tenant Health dashboard (partner portal home) shows all tenants with their DNS query volume, block rate, last-seen timestamp, and any active alerts. Tenants with no DNS traffic in 24h are flagged in amber; those with zero traffic for 72h are flagged red, indicating the DNS forwarder may be misconfigured.

White-labelling is available on Growth and Scale plans. You can customise:

• Portal branding — your logo and colour scheme on the tenant-facing portal.
• Block page — your logo and message shown when a domain is blocked.
• Email notifications — alerts sent from your domain (requires DNS configuration for SPF/DKIM).

Configure all of these under Partner Settings → White Label in the MSP portal. Client tenants will see your brand throughout — DNSAFE branding is not shown to end users on white-label plans.

The API uses Bearer token authentication. Generate an API key under Settings → API Keys → New Key. Include it in every request:

Authorization: Bearer YOUR_API_KEY

API keys are scoped — you can create read-only keys for reporting or read/write keys for full management. Keys can be revoked at any time without affecting other keys. The full API reference is at api.dnsafe.net/docs.

The DNSAFE REST API covers the full platform: All endpoints return JSON. Rate limits are 60 req/min on Personal, 300 req/min on Growth, and 1,000 req/min on Enterprise/Scale plans.

DNSAFE supports log streaming to SIEM platforms on Growth and Enterprise plans. Under Settings → Integrations → SIEM:

• Syslog (UDP/TCP) — stream logs in CEF or JSON format to any syslog-capable SIEM.
• HTTP webhook — push log events to a custom endpoint (useful for Splunk HEC, Elastic, etc.).
• Amazon S3 — dump logs hourly to an S3 bucket for long-term archiving or bulk analysis.

Pre-built integrations are available for Splunk, Microsoft Sentinel, and Elastic. See docs.dnsafe.net/msp for connector guides.

PSA integration is available on Scale and Enterprise MSP plans. Once connected, DNSAFE can:

• Auto-create tickets in your PSA when a high-severity threat is detected for a client.
• Sync client names between DNSAFE tenants and PSA accounts.
• Push monthly usage reports as notes or attachments on client records.

Set up the integration under Partner Settings → PSA Integration. You'll need your PSA API credentials. Supported PSAs: ConnectWise Manage, Autotask, HaloPSA.

Yes. Configure webhooks under Settings → Integrations → Webhooks. Events you can subscribe to:

• threat.blocked — fired when a high-severity threat domain is blocked.
• policy.changed — fired when a policy is modified.
• tenant.created / tenant.deleted — MSP lifecycle events.
• usage.threshold — fired when seat usage crosses a configured percentage.

Payloads are signed with an HMAC-SHA256 signature using your webhook secret, so you can verify authenticity on your end.

Go to Billing → Change Plan in the portal. Upgrades take effect immediately and you're charged a prorated amount for the remainder of the billing cycle. Downgrades take effect at the next renewal date.

Billing → Cancel Subscription. Your access continues until the end of the current billing period. Log data is retained for 30 days after cancellation. If you're cancelling due to a problem, please contact support first — we're happy to help resolve issues or pause your account.

Yes. We offer a full 30-day money-back guarantee on all paid plans. If you're not satisfied within 30 days of your first charge, contact support@dnsafe.net and we'll issue a full refund — no questions asked. After 30 days, refunds are reviewed on a case-by-case basis. See our Refund & Cancellation Policy for full details.

Billing → Invoices in the portal. All invoices are available as PDF download and are also emailed to your billing contact on the first of each month.

Yes — paying annually saves 20% compared to monthly billing on all consumer and business plans. You can switch to annual billing at any time from Billing → Change Plan. The saving is applied immediately on a prorated basis for any remaining months in your current cycle. MSP Enterprise and Scale plans can also be invoiced annually — contact sales@dnsafe.net to arrange this.

1. Check Logs for the domain and note the block reason (category or custom rule).
2. If it's a false positive in a threat category, report it via the form below — include the domain and your use case. ThreatGrid recategorisation requests are reviewed within 24h.
3. For immediate access: add the domain to your policy's Allow List.

1. Confirm DNS is actually hitting DNSAFE: run nslookup whoami.dnsafe.net — it should return your registered location's name.
2. If it returns nothing or a generic response, your DNS isn't going through DNSAFE. Check your router/firewall DNS settings.
3. If the location is shown but filtering isn't working, check the policy assigned to that location and verify the relevant categories are toggled on.

• Ensure the DNSAFE service is running: Windows: services.msc → DNSAFE Agent. macOS: check System Preferences → Privacy & Security → Extensions.
• Verify outbound HTTPS (port 443) to agent.dnsafe.net isn't blocked by a corporate firewall.
• Re-enter the organisation token: agent tray icon → Settings → Re-register.
• If on a corporate network that forces DNS, the agent will defer to the network policy while on that network — this is expected behaviour.

If a location shows zero queries for more than 15 minutes after setup:

1. Confirm the resolver IPs are set correctly on the router/device.
2. Check that no upstream DNS (like ISP-provided) is overriding your settings — some routers require disabling "DNS Rebind Protection" for external resolvers.
3. Test from a device on that network: nslookup test.dnsafe.net <resolver-ip>
4. Ensure UDP port 53 outbound isn't being blocked by a firewall ACL.

This happens when HTTPS sites are blocked — the browser sees a certificate mismatch because DNSAFE redirects to the block page domain, not the original. To fix this for your users, install the DNSAFE root certificate on managed devices. Download it from Settings → Block Page → Download Root CA and deploy via Group Policy (Windows) or MDM profile (macOS/iOS).

Use the Domain Intel tool in the portal (sidebar → Domain Intel). Enter any domain to see its ThreatGrid score, category classification, and how it would be handled by each of your policies. You can also run a live test without affecting real traffic.

This is expected behaviour when DNSAFE blocks an HTTPS site and redirects to the block page. Because the original domain's SSL certificate doesn't match the block page domain, the browser shows a certificate warning.

Fix for managed devices

1. Download the DNSAFE Root CA from Settings → Block Page → Download Root CA.
2. Deploy to devices via Group Policy (Windows), MDM profile (macOS/iOS), or your device management platform.

For unmanaged / home devices

Install the certificate manually: open the downloaded .crt file, click Install Certificate, and place it in the Trusted Root Certification Authorities store (Windows) or Keychain (macOS). After installing, the block page will display cleanly with no warning.

Sign up at my.dnsafe.net — no credit card required for a free account. Then:

1. Point your device's DNS to 3.12.124.91 (see DNS Setup section for platform-specific steps).
2. Go to Devices and register your public IP address.
3. Browse normally — DNSAFE's global blocklist is active immediately.
4. Add custom block or allow rules from the Rules page.

The free plan covers 1 device and up to 5 custom rules. Upgrade to Personal or Family for more devices and rules.

Standard DNS (UDP/TCP port 53)

3.12.124.91

DNS-over-HTTPS (DoH)

https://api.dnsafe.net/dns-query

DNS-over-TLS (DoT)

api.dnsafe.net:853

Standard DNS is the easiest to configure on routers and most devices. DoH and DoT add encryption and are supported by most modern browsers and mobile operating systems natively.

DNSAFE uses IP-based device mapping to apply your personal rules and log your queries. To register a device:

1. Find your public IP — visit api.ipify.org or search "what is my IP".
2. Go to my.dnsafe.net/devices and click Add Device.
3. Enter your IP and a label (e.g. "Home Router") and save.

If your ISP changes your IP periodically, update the device entry when this happens. Setting DNS on your router (instead of individual devices) means you only need one device entry for your whole home.

Device limits by plan: Free: 1 · Personal: 5 · Family: Unlimited · Pro: 25

Custom rules let you add personal block or allow entries on top of DNSAFE's global blocklist. Rules apply only to devices registered to your account.

Block rules

Prevent your devices from resolving a specific domain — useful for blocking distracting or unwanted sites (e.g. reddit.com, tiktok.com).

Allow rules

Force a domain to resolve normally even if it appears on the global blocklist. Allow rules are checked before the global blocklist, so they always win. Use this if DNSAFE is over-blocking a domain you need.

Rule limits by plan

• Free: 5 rules
• Personal: 25 rules
• Family: 100 rules
• Pro: 500 rules

Manage rules at my.dnsafe.net/rules. Rules take effect within seconds.

Free — $0/mo

1 device · 5 custom rules · Global threat blocklist · Query logs

Personal — $2.99/mo

5 devices · 25 custom rules · Ad blocking · Extended logs · Add-ons available

Family — $7.99/mo

Unlimited devices · 100 custom rules · Parental controls · Ad blocking · All add-ons

Pro

25 devices · 500 custom rules · API access add-on · Priority support

Upgrade any time from my.dnsafe.net/billing. Upgrades take effect immediately.

Check these in order:

1. DNS is actually pointing to DNSAFE. Run nslookup example.com 3.12.124.91 (Windows) or dig example.com @3.12.124.91 (Mac/Linux). If it times out, DNS isn't set correctly.
2. Your browser isn't overriding DNS. Chrome and Edge both have "Secure DNS" settings that bypass the system resolver. In Chrome: Settings → Privacy → Security → Use secure DNS — turn it off or set it to custom and enter https://api.dnsafe.net/dns-query. Same location in Edge.
3. Your public IP is registered. Check Devices — the IP shown must match your current public IP.
4. The domain matches exactly. Rules don't automatically cover subdomains — blocking reddit.com doesn't block old.reddit.com. Add subdomains as separate rules if needed.

Go to my.dnsafe.net/rules, enter the domain, and set the action to Allow. Allow rules override the global blocklist — the domain will resolve normally for all devices registered to your account.

If the domain is being blocked by the global ThreatGrid blocklist and you believe it's a false positive, you can also report it via the support form below so we can review the categorisation.

Add-ons are available on Personal, Family, and Pro plans and can be managed at my.dnsafe.net/addons.

• Parental Controls ($1.99/mo) — blocks adult content, gambling, and age-inappropriate categories.
• Extended Logs ($0.99/mo) — keeps 180 days of query history.
• Usage Reports ($4.99 one-time) — generates a detailed PDF report of your DNS activity.
• API Access ($2.99/mo) — programmatic access to your rules and logs (Personal and Family plans only).