US English (US)
FR French
DE German
ES Spanish
IT Italian
NL Dutch
JP Japanese

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • Contact Us
English (US)
US English (US)
FR French
DE German
ES Spanish
IT Italian
NL Dutch
JP Japanese
  • Home
  • CyberFOX DNS Filtering
  • Getting Started

Carrier Grade NAT (CGNAT)

Written by Owen Parry

Updated at August 5th, 2025

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • AutoElevate Knowledgebase
    New to AutoElevate? START HERE General & Troubleshooting Managing Rules Integrations Announcements FAQ Sales & Marketing How to Videos
  • Password Boss Knowledgebase
    Using Password Boss Business Administration Password Boss Partner Documents
  • CyberFOX DNS Filtering
    Getting Started Filtering Policies Company and Location Setup Roaming Clients Reporting and Logging
  • Marketing Toolkit
    MSP Marketing & Education Toolkit
  • Changelogs for Autoelevate and Password Boss
  • Current Status
+ More

Table of Contents

Carrier Grade NAT (CGNAT) and DNS Filtering Issues What is Carrier Grade NAT (CGNAT)? Key Characteristics: Issues CGNAT Causes with DNS Filtering Loss of Source IP Granularity Rate Limiting and Blocking Inconsistent Policy Enforcement Logging and Auditing Challenges Workarounds and Solutions Use DNS-over-HTTPS (DoH) Deploy Client-Based DNS Filtering Switch to IPv6 Where Available

Carrier Grade NAT (CGNAT) and DNS Filtering Issues


Carrier Grade NAT (CGNAT) is a technique used by Internet Service Providers (ISPs) to conserve IPv4 addresses by allowing multiple customers to share a single public IP address. While CGNAT helps mitigate IPv4 exhaustion, it introduces several challenges, especially in the context of DNS filtering and network security.

 

What is Carrier Grade NAT (CGNAT)?


CGNAT, also known as Large Scale NAT (LSN), is a type of Network Address Translation where the ISP assigns private IP addresses to customer devices and translates them to a shared public IP address at the ISP level.

Key Characteristics:

  • Multiple users share a single public IP.
  • NAT occurs at the ISP level, not just within the home or business network.
  • Often used in mobile networks and some residential broadband services.

 

Issues CGNAT Causes with DNS Filtering


DNS filtering relies on identifying and blocking or redirecting DNS queries based on the source IP address or domain name. CGNAT complicates this process in several ways:

Loss of Source IP Granularity

Since multiple users share a single public IP, DNS filtering systems may not accurately identify which user made a specific request.

Rate Limiting and Blocking

DNS filtering services may rate-limit or block requests from a CGNAT-shared IP due to perceived abuse or high traffic volume.

Inconsistent Policy Enforcement

Filtering policies tied to IP addresses may apply incorrectly to multiple users behind the same CGNAT IP.

Logging and Auditing Challenges

Logs may not accurately reflect individual user activity, which can complicate compliance and security audits.

 

Workarounds and Solutions


Use DNS-over-HTTPS (DoH)

CyberFOX DNS-over-HTTPS (DoH): A secure DNS resolution method that encrypts DNS traffic and ensures filtering policies are applied even when traditional DNS is blocked or intercepted by ISPs.This will enable granular control, centralized management, and consistent policy enforcement across all devices.

Deploy Client-Based DNS Filtering

CyberFOX DNS Agent: A lightweight client installed on endpoints that enforces DNS filtering policies per device, regardless of the network or IP address. This will allow for granular control, centralized management, and consistent policy enforcement across all devices.

Switch to IPv6 Where Available

IPv6 provides unique public IPs for each device, eliminating the need for CGNAT. Check if your ISP supports IPv6 and enable it on your router and devices.

 

network address translation shared ip

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Proxy Service
  • Deploying AutoElevate Using Powershell
  • Understanding DNS Filtering
  • Products
    • Privileged Access Management
    • Password Management
  • Solutions
    • For MSPs
    • For IT Pros
    • By Industry
  • Resources
    • Weekly Demos
    • Events
    • Blog
    • FAQ
  • Company
    • Leadership
    • Culture + Values
    • Careers
    • Awards
    • News & Press
    • Trust Center
    • Distributors
  • Get Pricing
  • Free Trial
  • Request a Demo
  • Support
  • Login
  • Contact
4925 Independence Parkway
Suite 400
Tampa, FL 33634
CALL US (813) 578-8200
  • Link to Facebook
  • Link to Linkedin
  • Link to Twitter
  • Link to Youtube
© 2023 CYBERFOX LLC ALL RIGHTS RESERVED  |  Privacy Policy

Knowledge Base Software powered by Helpjuice

Expand