US English (US)
FR French
DE German
ES Spanish
IT Italian
NL Dutch
JP Japanese

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • Contact Us
English (US)
US English (US)
FR French
DE German
ES Spanish
IT Italian
NL Dutch
JP Japanese
  • Home
  • CyberFOX DNS Filtering
  • Getting Started

Carrier Grade NAT (CGNAT)

Written by Owen Parry

Updated at August 5th, 2025

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • AutoElevate Knowledgebase
    New to AutoElevate? START HERE General & Troubleshooting Managing Rules Integrations Announcements FAQ Sales & Marketing
  • Password Boss Knowledgebase
    Using Password Boss Business Administration Password Boss Partner Documents
  • CyberFOX DNS Filtering
    Getting Started Filtering Policies Company and Location Setup Roaming Clients Reporting and Logging Troubleshooting
  • Marketing Toolkit
    MSP Marketing & Education Toolkit
  • Changelogs for Autoelevate and Password Boss
  • CyberFOX Product Roadmap
  • Current Status
+ More

Table of Contents

Carrier Grade NAT (CGNAT) and DNS Filtering Issues What is Carrier Grade NAT (CGNAT)? Key Characteristics: Issues CGNAT Causes with DNS Filtering Loss of Source IP Granularity Rate Limiting and Blocking Inconsistent Policy Enforcement Logging and Auditing Challenges Workarounds and Solutions Use DNS-over-HTTPS (DoH) Deploy Client-Based DNS Filtering Switch to IPv6 Where Available

Carrier Grade NAT (CGNAT) and DNS Filtering Issues

Carrier Grade NAT (CGNAT) is a technique used by Internet Service Providers (ISPs) to conserve IPv4 addresses by allowing multiple customers to share a single public IP address. While CGNAT helps mitigate IPv4 exhaustion, it introduces several challenges, especially in the context of DNS filtering and network security.

 

What is Carrier Grade NAT (CGNAT)?

CGNAT, also known as Large Scale NAT (LSN), is a type of Network Address Translation where the ISP assigns private IP addresses to customer devices and translates them to a shared public IP address at the ISP level.

Key Characteristics:

  • Multiple users share a single public IP.
  • NAT occurs at the ISP level, not just within the home or business network.
  • Often used in mobile networks and some residential broadband services.

 

Issues CGNAT Causes with DNS Filtering

DNS filtering relies on identifying and blocking or redirecting DNS queries based on the source IP address or domain name. CGNAT complicates this process in several ways:

Loss of Source IP Granularity

Since multiple users share a single public IP, DNS filtering systems may not accurately identify which user made a specific request.

Rate Limiting and Blocking

DNS filtering services may rate-limit or block requests from a CGNAT-shared IP due to perceived abuse or high traffic volume.

Inconsistent Policy Enforcement

Filtering policies tied to IP addresses may apply incorrectly to multiple users behind the same CGNAT IP.

Logging and Auditing Challenges

Logs may not accurately reflect individual user activity, which can complicate compliance and security audits.

 

Workarounds and Solutions

Use DNS-over-HTTPS (DoH)

CyberFOX DNS-over-HTTPS (DoH): A secure DNS resolution method that encrypts DNS traffic and ensures filtering policies are applied even when traditional DNS is blocked or intercepted by ISPs.This will enable granular control, centralized management, and consistent policy enforcement across all devices.

Deploy Client-Based DNS Filtering

CyberFOX DNS Agent: A lightweight client installed on endpoints that enforces DNS filtering policies per device, regardless of the network or IP address. This will allow for granular control, centralized management, and consistent policy enforcement across all devices.

Switch to IPv6 Where Available

IPv6 provides unique public IPs for each device, eliminating the need for CGNAT. Check if your ISP supports IPv6 and enable it on your router and devices.

 

network address translation shared ip

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Proxy Service
  • Understanding DNS Filtering
Request a Demo
  • Get Pricing
  • Start Trial
  • Contact
  • Support Center
  • Login
Solutions
AutoElevate
  • AutoElevate Overview
  • Remove Admin Privilege
  • Just-in-Time Admin
  • Blocker
Password Manager
  • Password Manager Overview
  • Features
DNS Filtering
  • DNS Filtering Overview
MSPs
IT Departments
  • Overview
  • State and Local Government
  • K-12 Education
  • Manufacturing
  • Higher Education
Resources
  • Resource Center
  • Group Demos
  • Events
  • The Simple 7™
Company
  • About
  • Leadership
  • Culture & Values
  • News & Press
  • Awards
  • Partnerships
  • Referral Program
  • Trust Center
CyberFox Logo

CALL US (813) 578-8200

© 2025 CYBERFOX LLC ALL RIGHTS RESERVED | Privacy Policy | Terms of Service | Sitemap


Knowledge Base Software powered by Helpjuice

Expand