How the ParentalControl.uk check works

What the check is, in one paragraph

The check is a 10-phase browser-based diagnostic that takes about 27 seconds because each phase enforces a minimum runtime. It runs from the device in the current browser tab and tests whether the home network is filtering harmful or age-restricted content categories. There is no account and no sign-up. Scan results are not stored on our server.

What runs in the browser, what runs on our server

In the browser

• The 10-phase orchestrator and phase timing.
• All category probes via no-cors favicon fetch checks.
• DNS-over-HTTPS queries sent through our DNS proxy endpoint.
• Score calculation, verdict bands, and on-page result rendering.

On our server (all on parentalcontrol.uk)

• /api/asn.php performs a Cymru DNS lookup against origin.asn.cymru.com to derive ASN from visitor IP.
• /api/dns.php forwards DNS-over-HTTPS queries to Cloudflare, Google, or Quad9 and returns the parsed answer list.
• /api/lookup.php returns the identified ISP using external IP intelligence plus internal registry classification. This endpoint sends the visitor IP address to one or more public IP intelligence services (ipwho.is, ip-api.com, with ipinfo.io as fallback) when needed for provider identification. The IP address is not stored on our server by this lookup flow. We are reviewing whether this can be done entirely server-side in a future maintenance pass to remove the third-party call.

All three endpoints apply rate limiting at 200 requests per hour per IP-hash. The hash is the first 16 hex characters of SHA-256 of IP plus salt string pcuk-v9 and is kept in a temporary file window. No scan results are stored anywhere on the server.

The 10 phases, in order

1. Profiling your connection (1.5s minimum)

   What it checks: It identifies the most likely broadband provider and network context for this run.

   What it does technically: The browser sends its local profile values to the scanner flow and the server endpoint /api/asn.php does a Cymru DNS ASN lookup, then matches ASN to assets/data/uk-isp-fingerprints.json (30+ providers including BT, Sky, Virgin Media, TalkTalk, EE, Plusnet, Vodafone, Three, Sure, Manx Telecom, and JT).

2. Checking your DNS (3s minimum)

   What it checks: It checks whether DNS behaviour matches a known family-safe resolver fingerprint.

   Our experimental browser-side DNS probe (v9.1) can reliably identify two named family-DNS configurations when they are configured on the network this browser is using: Cloudflare for Families (1.1.1.3 strict and 1.1.1.2 malware-only) and OpenDNS FamilyShield (208.67.222.123 / 208.67.220.123). We probe additional signals for transparency — Quad9 reachability and the documented block-page hosts of Sky, Virgin Media, EE, Plusnet and Vodafone — but these signals are not yet corroborated strongly enough to claim positive identification, so we report "none detected" rather than guess. This conservative scope is deliberate: the priority for v9.1 is to eliminate false positives, even at the cost of fewer positive identifications. Six common setups remain invisible to any browser-based probe: a Pi-hole or AdGuard Home on the LAN, a custom DNS server we do not have a fingerprint for, operating-system level DNS over HTTPS (Windows 11, macOS, iOS and Android can all override the network's DNS), any block applied at the route or carrier level, and the Isle of Man providers Sure and Manx Telecom which do not run network-level filters that a browser can detect. For a fuller explanation including five checks a parent can run in two minutes, see how we test DNS.

   Other family-safe resolvers (such as CleanBrowsing, AdGuard Family, and NextDNS) are catalogued in our fingerprint file but are not currently active in the live identification. We are extending this in the next maintenance pass.

3. Testing SafeSearch & YouTube Restricted (2s minimum)

   What it checks: It checks whether SafeSearch or equivalent forced mode is detectable from DNS answers.

   What it does technically: It queries DNS for www.google.com, www.youtube.com, and www.bing.com and checks answer fingerprints, including 216.239.38.120, 216.239.38.119, and 204.79.197.220.

4. Adult content (3s minimum, sensitive)

   What it checks: It tests whether adult category domains are reachable from this device.

   What it does technically: It probes 10 domains and aggregates blocked ratios into category verdicts. Domain names are masked in the results display until the user clicks reveal.

5. Social media (3s minimum)

   What it checks: It tests social platform reachability from this network.

   What it does technically: It probes 12 domains including Instagram, TikTok, Snapchat, Discord, Reddit, X, Facebook, Pinterest, Tumblr, BeReal, Threads, and Mastodon.

6. AI tools (3s minimum)

   What it checks: It tests whether major AI services are reachable.

   What it does technically: It probes 10 services including ChatGPT, Claude, Google Gemini, Character.AI, Perplexity, Replika, Janitor, SpicyChat, Poe, and Meta AI.

7. Gaming (3s minimum)

   What it checks: It tests gaming platform reachability.

   What it does technically: It probes 10 domains including Roblox, Epic Games, Steam, Twitch, Fortnite, Minecraft, EA, Ubisoft, Nintendo, and Kick.

8. Gambling (3s minimum, sensitive)

   What it checks: It tests bookmaker reachability.

   What it does technically: It probes 10 UK bookmaker domains and masks domain names in the UI until reveal is clicked.

9. Malware & phishing (2.5s minimum)

   What it checks: It checks if malware sentinel domains resolve to blocking sinkholes.

   What it does technically: It runs DNS-over-HTTPS lookups for three sentinels and counts returns that match 0.0.0.0 or 146.112.61.x patterns.

10. Streaming & extremism, and your verdict (3s minimum)

    What it checks: It samples streaming domain reachability and finalises the overall score. Scoring fix in v9.1: the streaming sub-score is now included in the overall total.

    What it does technically: It probes Netflix, Prime Video, and Disney+, then synthesises the final 0 to 100 score from weighted category states.

How a category is judged

For each category, the scanner sends a no-cors fetch request to https://{domain}/favicon.ico for each listed domain. The URL is cache-busted with a timestamp and each probe has a 2.5 second timeout.

If the browser completes TCP and TLS and receives any HTTP response, including 4xx or 5xx, it is classified as reachable. If DNS fails, TLS rejects, the connection resets, or the request times out, it is classified as blocked-network or blocked-blackhole.

Per-domain results are aggregated to a category verdict:

• 80% or more blocked: Probably blocked (high confidence).
• 50% to 79% blocked: Mixed results (medium confidence).
• 20% to 49% blocked: Mostly accessible (medium confidence).
• Below 20% blocked: Accessible (high confidence).

If the DNS phase identified a family-safe DNS provider whose published category list includes the current category, the verdict is upgraded to Blocked with confirmed confidence, because we know the DNS layer is doing the filtering regardless of what individual domain probes return.

How the 0-100 score is calculated

• Adult content: 25 points (highest weight, because this is the category with the most safeguarding impact).
• Malware and phishing: 20 points.
• Gambling: 15 points.
• Social media: 12 points.
• AI tools: 10 points.
• Gaming: 10 points.
• Streaming: 8 points.
• Total possible: 100 points.

Each category contributes full weight if verdict state is blocked, 60% if partial, 30% if mostly-open, and 0% if open. Final score is the sum of points earned, divided by 100, expressed as a percentage.

Score bands and what they mean

• 90 to 100: Protected. Every category we tested is blocked on this network.
• 75 to 89: Good protection. Most things we tested are blocked. A couple of gaps to close.
• 50 to 74: Some protection. Several categories blocked. Important gaps remain.
• 30 to 49: Limited protection. A few categories blocked. Most still get through.
• 0 to 29: Major gaps. Your home network has serious gaps that should be addressed.

Honest limits of the check

• A browser-based check can only see what this browser sees from this device. It cannot see inside the router or the broadband provider dashboard. For full coverage, verify settings in your router or provider app.
• VPN use bypasses home network filtering. If the device is on a VPN, the check reads the VPN exit path, not the home network. The current scanner does not detect or warn about VPN use.
• Cached DNS can hide recent changes. If you just changed filtering settings, run the check again in 10 minutes.
• The probe is binary. It reports whether the network reached the host or not. It cannot distinguish ISP edge block from DNS block, temporary outage, or local connectivity fault. Aggregation across multiple domains reduces false readings but cannot remove them.
• A successful no-cors fetch includes 4xx and 5xx responses. A 403 from an upstream WAF still counts as reachable even if content would not load for a user.
• Category domain lists are current to May 2026 and maintained by us, but domains and services change quickly.
• DNS-based detection assumes the device is using network DNS. If the device uses direct DNS-over-HTTPS or DNS-over-TLS, fingerprint matching can fail and DNS phase may report no family-DNS detected.

What we do not do

• We do not store scan results. The check runs in the browser and results stay in the current tab.
• We do not require an account. Nothing on this site has a login.
• We do not run advertising. We are not paid by ISPs or filtering providers for verdicts.
• We do not categorise sites ourselves. Category lists are derived from publicly recognised industry classifications including Cloudflare for Families, OpenDNS FamilyShield, and CleanBrowsing Family. Read our independent UK browser comparison.
• We do not test inside encrypted streaming services. For service-level restrictions inside Netflix, Prime Video, or Disney+, on-device parental controls are required.

Privacy and data handling

The browser side reads a small profile from the local browser (platform, language, network type) for display only. Nothing is stored.

The three endpoints (/api/asn.php, /api/dns.php, /api/lookup.php) are used only for ASN lookup, DNS-over-HTTPS proxying, and provider identification. Endpoint rate limiting is keyed by IP-hash using SHA-256 with a salt and stored temporarily in rolling hourly files.

Google Analytics loads only after explicit cookie consent. Consent state is stored in localStorage under pc-consent-v1 and defaults to denied.

Source files we maintain

• assets/js/phases-v9.js: the 10-phase definition.
• assets/js/probe.js: the probe mechanism.
• assets/js/scanner-v9.js: the orchestrator.
• assets/data/dns-fingerprints.json: family-safe DNS resolver fingerprints.
• assets/data/uk-isp-fingerprints.json: UK broadband provider ASN mappings.
• api/asn.php, api/dns.php, api/lookup.php: server endpoints used by the check.

How we keep this current

• Domain lists are reviewed quarterly.
• DNS fingerprints are updated when named family-DNS providers change published addresses.
• ISP fingerprints are updated when ASNs change or new UK providers enter the market.

Spotted a mistake?

We publish this page in detail because we want you to be able to check our claims. If anything here does not match what the code actually does, please email hello@parentalcontrol.uk and we will fix it.