Apple Screen Time + DNS Filtering: The Complete-Coverage Setup for Families

If you have an iPhone or iPad in the house, you've probably already met Apple Screen Time. You can set app limits, schedule downtime, lock down content ratings, and get a weekly report on where the hours went. On Android, Google's Digital Wellbeing does much the same. These are genuinely good tools, and for managing how a single device is used, they're hard to beat.

But families don't run on a single device. There's the smart TV in the living room, the tablet that gets passed between siblings, the old phone that's now a music player, the game console, and the laptop a guest brings over. Screen Time governs the Apple devices it's installed on. It doesn't reach the rest. That gap is exactly where network-level DNS filtering fits, and the two approaches turn out to complement each other well.

This is a guide to running them together for complete coverage: the device layer that Apple and Google already handle well, plus the network layer that catches everything else.

What Screen Time and Digital Wellbeing do well

It's worth being specific about the strengths here, because they're real and you should keep using them.

Apple Screen Time is strong at time and behavior on the device itself:

• App and category time limits ("one hour of games per day")
• Downtime schedules that grey out apps at bedtime
• Content and privacy restrictions tied to a child's Apple ID
• Communication limits and purchase approvals through Family Sharing
• A weekly activity report so you can see patterns and have a conversation about them

Google Digital Wellbeing offers a similar device-level toolkit on Android: app timers, Bedtime mode, Focus mode, and dashboards that show daily usage.

These tools are tied to an operating system and an account. That's their power and their boundary. They know the device intimately, which is why they can enforce a per-app timer. But they can only enforce on the devices where they're installed and signed in.

Where the gap shows up

The boundary becomes obvious the moment a household has more than a couple of devices. A few common cases:

• The smart TV streams whatever its apps point at. Screen Time has no presence there.
• A guest's phone joins the Wi-Fi for the afternoon. Nothing on your account governs it.
• A second-hand tablet running an old OS may not support the latest controls.
• A games console or streaming stick sits entirely outside the phone-and-tablet world these tools were built for.
• A determined teenager who has worked out one device-level setting hasn't necessarily worked out anything that applies to the whole network.

None of this is a flaw in Screen Time. It's just operating at the device layer. To cover the rest, you need a layer that sits underneath all of them, and that's DNS.

What DNS filtering adds

Every time any device wants to reach a website, app server, or streaming service, it first asks a DNS resolver to translate the name (like example.com) into an address. That lookup happens before any connection is made. If you point a device at a filtering resolver, you get to decide which names resolve and which don't, for that device, regardless of its operating system or who's signed in.

Because it works at the network layer, DNS filtering is:

• Device-agnostic. TVs, consoles, tablets, laptops, and guest phones can all use the same resolver.
• Account-independent. It doesn't need a child's Apple ID or a Google sign-in to apply a policy.
• Category-oriented. Instead of governing time, it governs which kinds of destinations are reachable at all.

With Guardino, the resolver enforces policies you choose per profile. These include the Mind Shield list, which targets domains built around attention manipulation and the dopamine loops behind apps designed to be hard to put down; adult and parental filtering; Safe Search enforcement; a social-media bundle; gambling and focus categories; and curated blocklists for ads, trackers, malware, and phishing. You can also add your own allow and deny rules for the specific sites your family cares about.

What it deliberately does not do is govern time on a device or limit a single app's daily minutes. That's Screen Time's job, and it does it better. The division of labor is the point.

Screen Time decides how long an app is used. DNS filtering decides whether a category of destinations is reachable at all. One is a clock; the other is a gate. Families do best with both.

The complete-coverage setup, step by step

Here's a practical way to run them together without overlap or confusion.

1. Keep Screen Time (or Digital Wellbeing) where it already is

Don't change a thing on your existing setup. App limits, downtime, content ratings, and purchase approvals stay exactly as they are. If you haven't configured a weekly report or a bedtime schedule yet, this is a good moment, because the network layer won't do that part for you.

2. Create your DNS profiles

In the Guardino dashboard, set up at least two profiles so you can apply different policies to different family members. A typical split:

• A child profile with Mind Shield, adult-content filtering, Safe Search, the social-media bundle, and the ads, trackers, malware, and phishing blocklists turned on.
• An adult profile that's lighter, perhaps just ads, trackers, and security blocklists, plus Mind Shield if you want a calmer feed for yourself.

Each profile carries its own DNS configuration and its own custom allow and deny rules. You can register and set this up in a few minutes.

3. Configure the network layer once per device

Each profile's DNS is applied once per device. The configuration uses encrypted DNS so the lookups stay private in transit:

• On iPhone and iPad, install the profile's .mobileconfig file from the setup page. This sets the device's DNS to your chosen profile.
• On Android, use the QR code in setup, or set the bare hostname dns1.guardino.ai as the Private DNS provider in system settings (this uses DoT).
• On laptops, TVs, and consoles, point the device, or your router, at the profile's encrypted DNS endpoint. The DoH URL carries the per-profile token, so a device set up with the child profile stays on the child policy.

There's no app to install. The full walkthrough lives on the setup page.

4. Decide where to apply each profile

A common arrangement:

• Children's personal devices get the child profile.
• Shared devices (the living-room TV, a family tablet) get the child profile too, since the strictest reasonable policy is the safe default for shared screens.
• Adults' personal devices get the adult profile.
• The router can carry the child profile as a baseline, so any guest device that joins Wi-Fi inherits sensible filtering without anyone configuring it.

5. Check the dashboard, not just the device

Screen Time's weekly report tells you how long apps were used. The Guardino dashboard tells you what domains devices actually tried to reach, with real query stats and logs per profile. Reading both gives you a fuller picture: time-on-app from one, destinations-attempted from the other. If something is being blocked that shouldn't be, you add an allow rule; if you spot a category you'd rather close off, you toggle it on.

Living with both layers

A couple of honest notes on what to expect.

The two systems don't talk to each other, and they don't need to. They sit at different layers and never contradict. If a domain is blocked at the DNS level, no Screen Time setting will un-block it, and the reverse holds too. When you want an exception, you make it in the layer that's enforcing the rule, which is usually obvious from context: time and app limits live in Screen Time; site and category access lives in the Guardino dashboard.

DNS filtering also isn't a content-inspection tool, and that's by design. It sees the domain a device asked for, not the page within it or anything typed on it. Query metadata is kept for 30 days by default and is yours to shorten or delete whenever you like; device IPs aren't kept in long-term storage, and nothing is sold or shared. If you want the precise posture, the privacy page lays it out. The point of mentioning it here is that adding network-level coverage doesn't mean adding scrutiny of your family. It means closing a gap at the level of which destinations are reachable.

A calmer division of labor

The instinct to pick one tool and lean on it entirely is understandable, but it leaves real gaps. Screen Time and Digital Wellbeing are good at the device: time, apps, schedules, reports. DNS filtering is good at the network: categories and domains, across everything that connects, including the screens those device tools were never going to reach.

Run them together and each does the part it's built for. Start with the controls you already have, add a filtering profile or two, point your devices at them once, and let the two layers cover the household between them.