Make sure that all of your users have restricted operating system rights. If a user has no administrator rights it will be impossible for him/her to delete SafeDNS Agent, install any application, change the 'hosts' file or change a DNS server IP address in the network settings.
Prohibit access to any other DNS. If devices connect to the internet via a gateway or router, prohibit access to any DNS servers, except SafeDNS public DNS servers (we recommend to exclude 18.104.22.168/24 network as well, as this is a whole SafeDNS’ network) or to a caching server on your corporate network.
Prohibit access to HTTP proxies. To do that, restrict packet transfer to any IP addresses by TCP and UDP protocols on ports 3128 and 8080 in firewall settings of your router.
Prohibit access to DNS over TLS. To do that, restrict packet transfer to any IP addresses, except SafeDNS network 22.214.171.124/24, on TCP port 853.
Disable IPv6 protocol. As far as SafeDNS does not have IPv6 addresses you have to disable automatic obtaining of DNS server addresses in your router settings or in the network settings on your devices.
Recommendations for system administrators:
Set up DNS requests rerouting to the SafeDNS public DNS server or to the caching server on your corporate network.
Prohibit access to any external proxy servers.
Restrict direct access to any website via its IP address.
Make impossible for users to connect to unknown external VPN servers.
Make impossible for users to run any unknown applications.
Make impossible for users to connect and use any unknown hardware.