NL Dutch
FR French
IT Italian
JP Japanese
DE German
US English (US)
ES Spanish

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • Contact Us
English (US)
NL Dutch
FR French
IT Italian
JP Japanese
DE German
US English (US)
ES Spanish
  • Home
  • CyberFOX DNS Filtering
  • Concepts

DNS Filtering with Shared IPs (Carrier Grade NAT / CGNAT)

Written by Owen Parry

Updated at May 19th, 2026

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • AutoElevate Knowledgebase
    New to AutoElevate? START HERE General & Troubleshooting Managing Rules Integrations Announcements FAQ Sales & Marketing
  • Password Boss Knowledgebase
    Using Password Boss Administrating Password Boss Legacy Password Boss
  • CyberFOX DNS Filtering
    Getting Started Concepts Network Requirements Company and Location Setup Filtering Policies Roaming Clients Reporting and Logging Troubleshooting
  • Marketing Toolkit
    MSP Marketing & Education Toolkit CyberFOX Brand Guidelines
  • Changelogs for Autoelevate and Password Boss
  • CyberFOX Product Roadmap
  • Current Status
+ More

Table of Contents

Carrier Grade NAT (CGNAT) and DNS Filtering Issues What is Carrier Grade NAT (CGNAT)? Key Characteristics: Issues CGNAT Causes with DNS Filtering Loss of Source IP Granularity Rate Limiting and Blocking Inconsistent Policy Enforcement Logging and Auditing Challenges Workarounds and Solutions Use DNS-over-HTTPS (DoH) (Recommended) Deploy the CyberFOX DNS Agent (Recommended for managed Windows endpoints) Switch to IPv6 Where Available (Long-term option)

Carrier Grade NAT (CGNAT) and DNS Filtering Issues

Carrier Grade NAT (CGNAT) is a technique used by Internet Service Providers (ISPs) to conserve IPv4 addresses by allowing multiple customers to share a single public IP address. While CGNAT helps mitigate IPv4 exhaustion, it introduces several challenges, especially in the context of DNS filtering and network security.

 

What is Carrier Grade NAT (CGNAT)?

CGNAT, also known as Large Scale NAT (LSN), is a type of Network Address Translation where the ISP assigns private IP addresses to customer devices and translates them to a shared public IP address at the ISP level.

Key Characteristics:

  • Multiple users share a single public IP.
  • NAT occurs at the ISP level, not just within the home or business network.
  • Often used in mobile networks and some residential broadband services.

 

Issues CGNAT Causes with DNS Filtering

DNS filtering relies on identifying and blocking or redirecting DNS queries based on the source IP address or domain name. CGNAT complicates this process in several ways:

Loss of Source IP Granularity

Since multiple users share a single public IP, DNS filtering systems may not accurately identify which user made a specific request.

Rate Limiting and Blocking

DNS filtering services may rate-limit or block requests from a CGNAT-shared IP due to perceived abuse or high traffic volume.

Inconsistent Policy Enforcement

Filtering policies tied to IP addresses may apply incorrectly to multiple users behind the same CGNAT IP.

Logging and Auditing Challenges

Logs may not accurately reflect individual user activity, which can complicate compliance and security audits.

 

Workarounds and Solutions

Use DNS-over-HTTPS (DoH) (Recommended)

CyberFOX DNS-over-HTTPS (DoH): The primary workaround for CGNAT environments. DoH encrypts DNS traffic and routes it through a unique per-device or per-profile URL, ensuring filtering policies are applied correctly regardless of shared IP addresses. This enables granular control, per-device reporting, and consistent policy enforcement without relying on source IP identification. See: Roaming Devices

Deploy the CyberFOX DNS Agent (Recommended for managed Windows endpoints)

CyberFOX DNS Agent: A lightweight Windows client installed on endpoints that enforces DNS filtering policies per device, regardless of the network or IP address. Like DoH, it bypasses the IP-based identification problem entirely by binding filtering to the device rather than the network. See: Agent-Based Devices

Switch to IPv6 Where Available (Long-term option)

IPv6 provides a unique public IP for each device, which would eliminate the shared-IP problem at the network level. However, this requires full end-to-end IPv6 support from your ISP and all network infrastructure, and is not a practical immediate solution for most environments. If your ISP supports IPv6 and your infrastructure is ready, enabling it can complement the filtering improvements above — but DoH or the DNS Agent should be the primary fix for CGNAT.

 

network address translation shared ip

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Understanding DNS Filtering
  • DNS Filtering Agent: How It Works and What to Expect
Request a Demo
  • Get Pricing
  • Start Trial
  • Contact
  • Support Center
  • Login
Solutions
AutoElevate
  • AutoElevate Overview
  • Remove Admin Privilege
  • Just-in-Time Admin
  • Blocker
Password Manager
  • Password Manager Overview
  • Features
DNS Filtering
  • DNS Filtering Overview
MSPs
IT Departments
  • Overview
  • State and Local Government
  • K-12 Education
  • Manufacturing
  • Higher Education
Resources
  • Resource Center
  • Group Demos
  • Events
  • The Simple 7™
Company
  • About
  • Leadership
  • Culture & Values
  • News & Press
  • Awards
  • Partnerships
  • Referral Program
  • Trust Center
CyberFox Logo

CALL US (813) 578-8200

© 2025 CYBERFOX LLC ALL RIGHTS RESERVED | Privacy Policy | Terms of Service | Sitemap


Knowledge Base Software powered by Helpjuice

Expand