DNS Filtering: The Simplest Security Layer You’re Not Using

The Domain Name System (DNS) is often described as the phonebook of the internet. When you type example.com into a browser, your device sends a DNS query to a resolver asking for the IP address associated with that domain. The resolver checks its cache, queries authoritative name servers if needed, and returns the IP address so your browser can establish a connection.

This process happens for every internet connection — not just web browsing but also email, cloud apps, software updates, and IoT device communications. A typical office of 50 people generates tens of thousands of DNS queries per day. Because DNS is the first step in virtually every connection, it represents a uniquely powerful point at which to enforce security policy.

DNS filtering works by intercepting DNS queries and comparing the requested domain against a continuously updated database of threat intelligence. If the domain is associated with phishing, malware command-and-control, ransomware distribution, or other malicious activity, the DNS resolver returns a block page instead of the real IP address. The connection never reaches the malicious server.

This is fundamentally different from traditional web filtering, which inspects HTTP traffic after the connection is established. DNS filtering operates before the connection is made, which means it blocks threats that do not use HTTP at all — such as malware phoning home over custom protocols, or DNS tunnelling used for data exfiltration.

Phishing remains the number-one initial access vector in cyberattacks. When a user clicks a malicious link in an email, the browser first performs a DNS lookup. If your DNS filter recognises the domain as a known phishing site, the page never loads. This protects users even when the phishing email slips past your email security gateway.

Most malware needs to "phone home" to a command-and-control (C2) server to receive instructions, download additional payloads, or exfiltrate data. DNS filtering blocks these C2 domains, effectively neutralising the malware even if it has already executed on an endpoint. This buys your security team critical time to detect and remediate the infection.

DNS filtering can also block categories of websites and cloud services that violate your acceptable use policy. If your organisation has standardised on Microsoft 365 for file sharing, you can block DNS queries to personal Dropbox, Google Drive, or WeTransfer domains. This helps enforce data governance policies without requiring complex firewall rules or endpoint agents.

DNS filtering can be deployed at several layers, and the best approach often combines more than one:

Gateway-Level (Router or Firewall): Point your network’s DHCP-assigned DNS servers to a filtering resolver. This protects every device on the network, including unmanaged devices and IoT. Vendors like Cisco Umbrella, Cloudflare Gateway, DNSFilter, and WebTitan offer this as a cloud service.

Endpoint Agent: Install a lightweight DNS agent on laptops and workstations. This ensures protection follows the device when it leaves the office and connects to home or public Wi-Fi. Most DNS filtering vendors provide agents for Windows, macOS, and mobile platforms.

Cloud Integration: For organisations using cloud-delivered secure web gateways (SWG) or Secure Access Service Edge (SASE) platforms, DNS filtering is typically a built-in feature that can be enabled with a single policy toggle.

One of the most compelling advantages of gateway-level DNS filtering is that it requires zero configuration on the endpoint. Security cameras, smart TVs, printers, VoIP phones, and guest laptops all inherit DNS protection simply by connecting to the network. In environments with a high number of IoT devices — such as warehouses, retail stores, and healthcare facilities — this is often the only practical way to apply any security policy to those devices.