Encrypted DNS is often described as a privacy improvement, and that can be true. It protects DNS traffic between the device and the resolver. For families, the practical question is not whether encrypted DNS is good or bad. The question is which resolver receives the encrypted query.
A family filter can still work with encrypted DNS when the family filtering resolver is the resolver being used. It can stop working when a browser, operating system, VPN, or private relay feature sends DNS somewhere else.
What encrypted DNS changes
Traditional DNS is easy for the local network path to observe. DNS over HTTPS carries DNS queries through HTTPS exchanges,1 while DNS over TLS uses TLS for DNS transport.2 Both can protect the lookup while it travels to the resolver.
That transport protection does not make policy disappear. The resolver still receives the query and decides how to answer. If the resolver is your family filtering resolver, it can still enforce category and rule decisions.
When family filtering still works
Filtering still works when the device, browser, router, or profile is configured to use the filtering resolver. Some products support encrypted DNS endpoints directly. In those cases, the family gets transport privacy and policy in the same path.
The setup should be explicit. Parents should know which resolver the device uses and whether a browser has its own secure DNS setting that overrides the system setting.
When filtering can be bypassed
Filtering can be bypassed when a device uses mobile data, a VPN resolver, a browser secure DNS resolver, a private relay feature, or a manual DNS setting outside the family policy. This can happen by accident or intentionally.
The symptom is simple: the family resolver no longer sees the lookup, so it cannot apply the rule. A log gap can be as important as a blocked domain when troubleshooting.
What families can do
Start by checking device DNS settings, browser secure DNS settings, VPN apps, and mobile data behavior. For younger children, use device permissions to limit settings changes. For older children, explain why the family resolver exists and what it does not do.
Avoid treating encrypted DNS as the enemy. The useful target is alignment: privacy-protecting transport to a resolver that enforces the family policy the household agreed to use.
FAQ
Is encrypted DNS bad for families?
No. Encrypted DNS can improve privacy. The issue is whether the encrypted DNS resolver still enforces the family policy.
Does DNS over HTTPS always bypass filtering?
No. DNS over HTTPS can carry queries to a filtering resolver or to a resolver outside the family policy. The resolver choice matters.
Can parents block every encrypted DNS bypass?
Not with DNS filtering alone. Device management, router rules, account permissions, and family expectations all matter.