Layer 7 of 7 — you are here
Day Seven · Companion to Chapter 10
The Perimeter Walk
Day Seven, you switch sides. For one afternoon you're not the parent who built the fortress — you're the twelve-year-old trying to get out of it. Walk the perimeter, push on every wall, and find the seams before someone else does. Then run the test protocol that proves the whole stack holds.
The bypass checklist
Go device by device down your Inventory. On each one, hunt for:
VPNs — apps AND configurations
- VPN apps: search each device's installed apps for "VPN" — and for the names that don't say VPN (many bypass apps brand themselves as "private browsers" or "proxies").
- VPN configurations in settings: a VPN doesn't need an app. iOS: Settings → General → VPN & Device Management — check for VPN configurations you didn't create. Android: Settings → Network & internet → VPN. A hand-entered configuration survives app audits entirely.
- Block future installs: your NextDNS "Block Bypass Methods" toggle (Layer 1) plus purchase approvals (Layer 2) are the standing defense; this walk catches what predates them.
VPN-capable browsers — and vendor siblings
- Some browsers ship with a free built-in VPN. Opera is the flagship example — and here's the trap: remove Opera, and Opera Air or Opera GX (same maker, same built-in free VPN) passes a name-based audit.
- The sibling rule: when you remove any bypass-capable app, search the app store for the maker's other apps. Removal audits fail on siblings.
- Other browsers to check at audit time: Aloha (built-in VPN on every platform), and any browser advertising "free VPN" in its store listing — the list grows; search the store, don't trust memory.
Per-device DNS overrides
- iOS: Settings → Wi-Fi → (i) next to your network → Configure DNS — should say Automatic, not Manual with a stranger's servers.
- Android: Private DNS (Settings → Network & internet) — should be your hostname or off, never an unknown one.
- Computers: network adapter DNS settings on each user account.
Browser secure-DNS toggles
- Chrome, Firefox, Edge, Brave — each has its own DNS-over-HTTPS setting that can quietly route around your wall (paths in Layer 3's factory tunnels table). Check every browser on every device, including the browsers you forgot were installed.
Hotspot restrictions
- A kid's phone with an open hotspot is a fresh unfiltered network for every other device in the house. The honest state of hotspot control: carrier family apps mostly can't kill hotspot per line. Verizon support can place a per-line hotspot block if you call and ask (their family app only pauses all data); AT&T and T-Mobile currently offer no per-line hotspot disable. On the device side, Screen Time cannot lock hotspot settings — the only real lock is a supervised-device restriction (the Configurator play from Layer 3). So: supervised restriction where you can, carrier block where offered, conversation where neither reaches.
- Also check for hotspots you don't recognize when scanning Wi-Fi from the couch — a neighbor kid's hotspot is outside your walls entirely; that's a conversation, not a setting.
Rogue routers, extenders, and the guest network
- Open your router's connected-devices list. Identify everything. An old router or a $15 extender plugged into an ethernet jack can create an unfiltered network inside your house.
- Check whether your router's guest network is on and whether it inherits your DNS settings — on some routers the guest network uses separate DNS config, which makes it a filtered-house's unfiltered back door. If it doesn't inherit, configure it to match or turn it off. (This varies by router brand — the test below settles it either way: run the test page from a device on the guest network.)
The test protocol
Push on every layer in order. This same protocol, run fast, becomes your monthly check — today is the full, slow version. On each kid device:
- DNS test page — on Wi-Fi. test.nextdns.io (or your service's equivalent) shows your configuration. Proves the house wall.
- DNS test page — on cellular. Wi-Fi off, same test. Proves the traveling wall.
- Dummy test sites.
nudity.testcategory.comandmalware.testcategory.comboth block, on Wi-Fi and cellular. Proves the filter behind the DNS. - Ask-to-buy test. Attempt a free-app install; the approval request arrives on the parent phone. Proves Layer 2 still holds.
- Profile-removal re-test. Try to remove the DNS profile/app. Supervised devices: no Remove button. Others: blocked by restrictions. Proves Layer 3.
- Adult-profile PIN test. Open each streaming app, tap an adult profile, confirm the PIN gate appears. Proves Layer 4.
- Watch a window close. Be present at a schedule boundary (or temporarily set one two minutes out) and watch the category actually die. Proves Layer 5.
- Wall-keys audit. Open the vault: all wall keys present, tagged, and both parents can access the shared group. Proves Layer 6.
The fortress is built
Seven layers, seven days. What keeps it standing is a five-minute monthly habit and a quarterly walk — the whole system is designed to be maintained in less time than one episode of anything. That routine lives on the maintenance page, and it starts the first Saturday after you finish.