How to enforce a DNS filtering service

On this page

Prerequisites

The following assumes you have already installed Plucky, and that you know how to open a console window for typing pluck commands.

This guide also assumes your delay is 0 so that the commands described herein have immediate effect. If your delay is not 0, you can set it to 0 first.

pluck delay 0

Use a DNS filtering provider and lock DNS settings

The following requires Plucky v0.99.59 or newer.

Blocking “bad sites”

First, you need the IP address of a DNS filtering provider such as CleanBrowsing, Safe Surfer, or OpenDNS. As an example, the IP address to use CleanBrowsing’s family filter is 185.228.168.168.

Second, configure your computer or home router to use that DNS provider. If you’ve never done this, see CleanBrowsing’s excellent guide on accomplishing this. It’s not that hard.

Third, you must allow the specific IP. In this example, we imagine that we have configured our computer to use CleanBrowsing’s family filter at 185.228.168.168. That is the IP address we use here.

pluck + allow 185.228.168.168

Note that if you configured the DNS on your router instead of your computer, you’ll want to allow the IP address of your router instead. An example router IP address is 192.168.1.1.

pluck + allow 192.168.1.1

Stop here. Do not proceed until the IP rule has become effective or you will lose Internet.

You can verify the rule to allow the IP address has become effective by using the eval command with the IP address you specified above.

pluck eval 185.228.168.168

Once that is done, configure Plucky to block other DNS traffic. This can be accomplished using the following commands.

pluck + block port 53
pluck + block port 853
pluck + block port 5353
pluck + block port 8443
pluck + nodoh
pluck + system

Congratulations, you now have DNS-based filtering set up and enforced by Plucky!

If you do nothing else, you’ll still have images and videos blocked by default. If you want to allow images, videos, and the rest by default, read on.

Allowing everything else

If you now feel it is safe for you to allow images, video, and a few other things by default, you may do so using the following gobbledygook.

pluck - block image/
pluck - block video/
pluck - block application/mp4
pluck - block application/octet-stream
pluck - block application/vnd.rn-realmedia
pluck - block application/vnd.rn-realmedia-vbr
pluck - block application/x-bittorrent
pluck - block application/x-iso9660-image
pluck - block application/x-shockwave-flash
pluck - block application/x-silverlight
pluck - block audio/x-pn-realaudio

Alternatively, you can clear your Plucky configuration completely using the clear command (pluck clear), and then re-adding all of the rules that you added while following this guide.

“Will this work with my VPN?”

Usually a VPN client assigns its own DNS addresses so you would need to configure the VPN to use CleanBrowsing / Safe Surfer instead.

Many VPN providers have this configurable under a setting called Custom DNS, but if it’s not in the software dashboard you can try to manually configure the virtual network adapter in your Network Settings.

If all else fails and you can only have one, ask yourself which is more important: privacy or an Internet landscape with significantly fewer pitfalls?

“But I live under tyranny and NEED a VPN!”

Then an alternative to using a safe DNS filter is to import wimpy.

It’s not 1-to-1 with the DNS provider’s lists, and it isn’t striving to be, but the way wimpy is able to flee rather than just block makes the coverage comparable, if not more effective.

Finished

There you have it.

If you find this setup works well for you, or falls short in practice, please do provide feedback.

Last updated: 2026-02-06