This checklist operationalizes the five-layer framework from Chapter [redacted]: The Home Protocol. Work through each layer in order. Layers build on each other, a gap in Layer 1 reduces the value of everything above it. Return to this checklist quarterly, and whenever a child receives a new device or joins a new platform.

PRIORITY items represent the highest-leverage actions. If time is limited, complete these first.

Layer 1: The Gateway

Router and Network Level

DNS Filtering

□ PRIORITY - Deploy NextDNS at the router level. Create child, adult, and guest profiles. Enable threat protection on all profiles. Enable SafeSearch and YouTube Restricted on the child profile. Free up to 300,000 queries/month; approximately $20/year for unlimited. Setup: nextdns.io

□ PRIORITY - Install the NextDNS on-device client on all mobile devices. Router-level filtering only protects devices on home WiFi. The per-device client extends filtering to cellular data and external networks. Without this, a child’s phone is unprotected the moment they leave home.

□ Alternatively, configure Cloudflare 1.1.1.3 as the router’s DNS resolver. Zero-configuration baseline. Blocks known malware and adult content with no account required. Less granular than NextDNS but functional as a fallback layer. Router DNS settings: use 1.1.1.3 and 1.0.0.3.

□ Audit router administrative credentials. Change the factory-default admin password before any other configuration. A router running factory credentials can be reconfigured by any device on the network. Check: router login page, typically 192.168.1.1 or 192.168.0.1.

□ Enable router firmware auto-update if available. Unpatched router firmware is a common attack vector. Check the router admin panel for update settings and enable automatic updates, or set a calendar reminder to check manually quarterly.

□ Establish a separate guest network for IoT devices and visitor devices. Smart TVs, gaming consoles, and guest phones on the same network segment as your children’s devices can create lateral exposure. A segregated guest SSID limits blast radius from any compromised device.

Network-Level VPN Policy

□ Review installed apps on all child devices for VPN applications. A VPN bypasses DNS-based filtering entirely. Presence of a VPN app is not necessarily malicious, but it is a signal worth investigating. Check periodically, not just at setup. Establish a household rule that VPN installation requires parental discussion and approval.

Layer 2: Endpoint Hardening

Device Level

App Installation Controls

□ PRIORITY - Enable Screen Time on iOS with app installation approval required. Settings → Screen Time → Content & Privacy Restrictions → iTunes & App Store Purchases → Installing Apps: Don’t Allow. Set a Screen Time passcode the child does not know. This must be done before handing the device to the child.

□ PRIORITY - Enable Google Family Link on Android with app approval required. Install Family Link on the parent device. Link the child’s Google account. Under Controls → Content Restrictions → Apps: set to Approve All. All new installs generate a parent notification and require approval.

□ Enable parental controls on all gaming consoles in the household.

Nintendo Switch: Nintendo Switch Parental Controls app (iOS/Android), set restriction level, disable online communication features for under-16 accounts, enable play-time limits.

Xbox: Xbox Family Settings app, set content filters, communication restrictions, and require approval for new friend requests.

PlayStation 5: Settings → Family and Parental Controls, create child sub-accounts, restrict game ratings, disable voice chat with strangers, set spending limits.

□ Disable in-app purchases across all platforms. In-game currency purchases are a documented grooming vector. A child who has received in-game currency from an unknown contact has received a gift. Disable purchase capability entirely or require a PIN. Check: iOS Screen Time, Google Family Link, and console-level spending controls.

Discoverability and Privacy Settings

□ PRIORITY - Set all social and gaming accounts to private. Default settings on Snapchat, Instagram, TikTok, Discord, and gaming platforms are permissive. Verify manually: go into each app’s privacy settings and set the account to private or friends-only. Do not rely on the platform’s setup wizard to do this correctly.

□ PRIORITY - Enable Ghost Mode on Snapchat and disable Snap Map. Snap Map broadcasts real-time location to all contacts. Ghost Mode disables this. Settings → Privacy Controls → See My Location → Ghost Mode. Verify this setting is active, it can be changed in-app without a password.

□ Disable algorithmic stranger suggestions on all platforms. Turn off: Quick Add (Snapchat), People You May Know (Instagram, Facebook), Suggested Friends (TikTok, Discord). These features surface your child’s profile to strangers and function as an inbound contact vector.

□ Disable location services for all social and gaming apps. Location permissions for social apps should be set to Never or While Using, never Always. Check: iOS Settings → Privacy & Security → Location Services. Android: Settings → Location → App Permissions. Audit every app individually.

□ Review and restrict direct messaging permissions on gaming platforms.

Roblox: parental dashboard at roblox.com/parents, restrict chat to friends only or disable entirely for younger children.

Fortnite/Epic: epicgames.com/help → Parental Controls, restrict voice chat and friend requests.

Minecraft: Microsoft Family Safety app, restrict communication settings.

□ Disable the platform’s built-in browser on gaming consoles where possible. PlayStation 5 and Xbox include web browsers that bypass content filtering. PlayStation: Parental Controls → restrict internet browser access. On Xbox, the Microsoft Family Safety app allows web content filtering across the device.

□ Review microphone and camera permissions for all apps. Revoke access for any app that does not clearly require it. iOS: Settings → Privacy & Security → Microphone / Camera. Android: Settings → Privacy → Permission Manager.

□ Set up communication limits (iOS Screen Time). Screen Time → Communication Limits, restrict who can contact the child during active hours and downtime. Set to Contacts Only during downtime.

Layer 3: Monitoring and Environment

Detection Without Surveillance

Operational distinction: Monitoring means tracking behavioral patterns and anomaly signals. Surveillance means reading message content. This layer is about the former. Covert content surveillance damages the disclosure relationship you depend on if something goes wrong. Build the monitoring layer transparently.

Physical Environment

□ PRIORITY - Establish a household charging station in a common area. No devices in bedrooms overnight. Late-night unsupervised communication is the primary escalation window documented in grooming cases. Removing device access after a set time eliminates this window without requiring any monitoring software. This is a household rule, not a punishment.

□ Keep primary computing devices (laptops, tablets) in common areas during active hours for younger children. Physical visibility is a passive deterrent. This applies primarily to children under 13.

Anomaly Detection Tools

□ PRIORITY - Deploy Bark or equivalent anomaly-detection monitoring. Bark analyzes communication patterns for keyword and behavioral flags. Platform migration requests, contact with unknown adults, sexualized language, emotional distress indicators, and notifies the parent when a threshold is crossed, without providing full message transcripts. This is the recommended posture for households with older children. bark.us

□ Enable DNS query logging in NextDNS and schedule periodic log reviews. Reviewing logs weekly allows you to detect shifts to new platforms, late-night activity spikes, and attempts to reach blocked domains. You are looking for pattern changes, not building a record of every website visited.

□ Enable activity reports on gaming consoles. Nintendo Switch Parental Controls app provides weekly activity reports. Xbox Family Settings app provides app usage, game time, and friend request activity. PlayStation provides play-time notifications and monthly summaries via Family Management.

Transparency

□ Tell your child that monitoring tools are in place, what they look for and why. Children who know monitoring exists and understand its scope respond better than children subjected to covert surveillance. Frame it as a perimeter against outside threats, not a mechanism to read their conversations.

Layer 4: The Human Firewall

Conversational Training

Technical controls fail. This layer is the last line of defense. A child who can name manipulation tactics is meaningfully harder to groom. Naming interrupts the process. These conversations should happen before they are relevant, not after.

Core Rules to Teach

□ PRIORITY - The Secret-Keeping Rule: healthy adults do not ask children to keep secrets from their parents. Teach this rule directly and early. The only exception your child should know about is surprise parties. Any adult, family member, coach, online contact, who asks them to keep a relationship or any part of it secret from you requires immediate disclosure. No penalty for telling you.

□ PRIORITY - The Platform Migration Red Flag: any request to move a conversation to a new, private app is a warning signal. Teach the pattern by name: someone who asks to move from a game chat, group chat, or social media to a direct-message app, especially an encrypted one like Signal, Telegram, or WhatsApp, is attempting to move the conversation somewhere nobody can check. Legitimate friends do not need to do this. The answer is no, and they should tell you it happened.

□ PRIORITY - The Gift Disclosure Policy: any digital gift from a non-family contact gets disclosed immediately, with no penalty. In-game currency, gift cards, account credits, or items sent through apps from anyone outside the family should be reported right away. Make explicit that telling you results in no punishment. Explain that gifts from strangers create obligation, that is the point of giving them.

□ The Offline Meeting Rule: never agree to meet someone in person who was first known only online without a parent’s involvement. Meeting an online-only contact in person requires parent knowledge, parent approval, and in most cases parent presence, regardless of how long the child has known them online.

□ Personal Information Boundaries: name, school, address, phone number, and photos are not shared with online-only contacts. Teach children that these pieces of information, individually or in combination, can be used to locate them in the physical world. This includes location data embedded in photos. iOS: Settings → Camera → Location: Off. Android: Camera settings → Location tags: Off.

Vulnerability Awareness

□ Teach children to recognize flattery and special-attention tactics as potential manipulation. Predators identify targets through expressions of loneliness or low self-esteem in online spaces, then initiate contact framed as friendship or mentorship. Frame this as knowing what the playbook looks like, not as paranoia.

□ Discuss AI-generated profiles and deepfake contact risks. Predators increasingly use AI-generated profile photos and synthetic identities to pose as peers. Teach children that a profile photo is not proof someone is who they claim to be, particularly if the contact was unsolicited, seems unusually interested in them, or is pushing toward private communication quickly.

□ Teach children to report without fear of device loss or platform bans as a consequence. The most common reason children do not disclose grooming contact is fear of losing device access or getting in trouble. Establish explicitly that coming to you about a concerning contact will never result in punishment. The predator is the problem. The child reporting them is doing the right thing.

Layer 5: Incident Response

When the System Flags Something

Most common failure mode: detecting something alarming, confronting the child immediately while in distress, triggering denial or shutdown, watching communications get deleted. Do not run this sequence. You have time. The subject does not know you have detected anything. Use that asymmetry.

Immediate Steps

□ PRIORITY - Pause before acting. Do not confront the child or touch the devices until you have a plan. Emotional urgency produces the worst outcomes at this stage.

□ PRIORITY - Preserve before confronting. Screenshot all visible evidence with timestamps before anything changes. Document: platform name, username or account identifiers, timestamps, and any visible content. Do not delete anything. Do not allow anything to be deleted.

□ Assess before reporting. Gather enough information to understand what you are dealing with. Is the contact a peer or an adult? How long has the contact been ongoing? Has platform migration occurred? Are there signs of gift-giving, sexual content, or requests for images?

The Conversation

□ PRIORITY - Lead with concern, not accusation: “I noticed something and want to make sure you are okay.” This framing opens a door. Your child may be experiencing shame, confusion, or loyalty to the contact. A calm, supportive response is the antidote to a groomer’s “your parents won’t understand” narrative.

□ Make explicit that the child is not in trouble, the contact is. Children who are being groomed are victims of a deliberate manipulation process. A child who believes they will be punished will minimize or retract disclosure.

Reporting Channels

File with all of the following simultaneously. Do not rely on a single channel.

NCMEC CyberTipline

report.cybertip.org or 1-800-843-5678

ICAC Task Force

icactaskforce.org

FBI Tips

tips.fbi.gov

Local Law Enforcement

File locally and federally simultaneously

NCMEC Image Removal

cybertipline.org (if explicit images were produced)

Bring documentation to every report. A tip accompanied by timestamped screenshots, usernames, platform names, and a contact chronology is substantially more actionable than a verbal description. Build the evidence package before you make the call.

Maintenance Schedule

This Setup Degrades Without Upkeep

Quarterly

□ Audit all devices for newly installed apps, with particular attention to VPN and encrypted messaging applications.

□ Review privacy settings on all active social and gaming accounts, platforms change defaults with updates.

□ Check DNS filter logs for anomalies or emerging platform activity.

□ Verify that on-device DNS clients are still active and correctly configured on mobile devices.

□ Review Bark or equivalent monitoring alerts from the past quarter and note any patterns.

On Each New Device

□ PRIORITY - Complete Layers 1 through 4 before the device is used, not after. Configuration installed after the fact is configuration the child has already had time to work around.

□ Verify the NextDNS or Cloudflare client is installed and active on the device immediately.

□ Set privacy and discoverability settings on every platform account created on the device.

On Each New Platform

□ PRIORITY - Before approving a new app or platform, review: Does it have direct messaging? Is it end-to-end encrypted with no moderation? Does it have discoverability features? Can strangers initiate contact? If yes to any of these, configure privacy settings before the child has an active account.

□ Add the platform to your Bark monitoring configuration if supported.

□ Have the Layer 4 conversation about that specific platform’s risk profile with your child before they use it.

Quick Reference

Tools and Resources

Recommended Tools

ToolNotes

NextDNS

nextdns.io - DNS-level filtering with per-device profiles, logging, and scheduled controls

Cloudflare Families

1.1.1.3 / 1.0.0.3 - zero-config DNS baseline, malware and adult content blocking

Bark

bark.us - anomaly-detection monitoring across text, email, and social platforms

iOS Screen Time

Built-in - app approvals, communication limits, content restrictions, downtime scheduling

Google Family Link

Built-in (Android) - app approval, content filters, device controls, location

Nintendo Parental Controls

App (iOS/Android) - play-time limits, restriction levels, game chat controls

Xbox Family Settings

App (iOS/Android) - content filters, screen time, communication restrictions, activity reports

PlayStation Family Management

Built-in and PlayStation Family app - child sub-accounts, content ratings, spending limits

Reporting and Support

NCMEC CyberTipline

report.cybertip.org / 1-800-843-5678

ICAC Task Force

icactaskforce.org

FBI Tips

tips.fbi.gov

NCMEC General

missingkids.org / gethelp@ncmec.org

FTC Children’s Privacy

ReportFraud.ftc.gov - for COPPA violations and data collection complaints

A note on COPPA: The Children’s Online Privacy Protection Act gives parents legal rights over data collection from children under 13. Under the updated 2025 Rule, you may request deletion of your child’s personal information from any covered platform, and platforms must obtain verifiable parental consent before collecting biometric identifiers, government IDs, or persistent tracking data. If a platform has violated these requirements, report to the FTC at ReportFraud.ftc.gov.

Protocol Over Pitchforks: The Evidence-First Manual for Protecting Children from Predators
Appendix [X] - The Home Protocol Checklist