What is DNS filtering?

DNS filtering blocks access to malicious or unwanted domains by intercepting queries at the resolver level. This guide covers how filtering works, common use cases from malware protection to compliance, and the limitations introduced by encrypted DNS protocols.

3 min read

What is DNS filtering#

DNS filtering is a security and policy enforcement technique that blocks access to specific domains by intercepting queries at the recursive resolver level. When a client queries a filtered domain, the resolver returns an NXDOMAIN response (indicating the domain doesn't exist), a block page redirect, or simply drops the query, preventing the connection from being established. Because DNS resolution precedes virtually all network connections, filtering at this layer provides broad coverage with minimal client-side configuration.

DNS filtering is one of the most cost-effective security controls available. It requires no endpoint agent, works across every device type, and stops threats before any payload is delivered or any connection is established.

How DNS filtering works#

The resolver maintains a list of domains to block, sourced from one or more of:

  • Threat intelligence feeds. Known malware command-and-control (C2) domains, phishing infrastructure, and exploit kit landing pages
  • Category-based lists. Domains classified by content type (gambling, adult content, streaming) for policy enforcement
  • Custom blocklists. Organization-specific domains flagged by security teams
  • Algorithmic detection. Real-time analysis that flags domain generation algorithms (DGAs), newly registered domains, or domains with suspicious characteristics

When a query arrives, the resolver checks it against these lists before performing normal resolution. Blocked queries never reach the authoritative server, so the destination domain never learns that a connection was attempted. This makes DNS filtering both a security control and a privacy benefit, blocked malware callbacks never establish a connection the attacker can observe.

Some implementations go further by analyzing query patterns in real time, using machine learning to identify tunneling behavior, fast-flux hosting, or domains associated with typosquatting campaigns.

Use cases#

Malware protection is the most common driver. Blocking known C2 and phishing domains at the DNS layer stops threats before any payload is delivered or any data is exfiltrated. This is especially valuable for devices that lack endpoint protection, such as Internet of Things (IoT) hardware, printers, and bring your own device (BYOD) setups.

Content filtering applies policy, schools filter inappropriate content, workplaces restrict non-business sites, and regulated industries enforce compliance requirements around data access.

Compliance and legal obligations in some jurisdictions require ISPs or organizations to block access to certain categories of content, and DNS filtering is the most common mechanism.

Teams running brand protection programs with domain monitoring can feed newly discovered malicious domains directly into DNS filtering blocklists, preventing employees and customers from reaching impersonation sites while takedown processes proceed.

Limitations#

DNS filtering is not comprehensive. DNS over HTTPS (DoH) and DNS over TLS (DoT) allow clients to encrypt queries to a resolver of their choice, bypassing the organization's filtering resolver entirely. Some browsers enable DoH by default, sending queries to a public resolver regardless of the system's DNS configuration.

Other limitations include split DNS configurations (where only some queries flow through the filtering resolver), IP-based access (where a client connects directly to an IP address without a DNS query), and the fundamental challenge that newly registered domains may not appear on threat feeds until after they've been used in an attack.

DNS filtering works best as one layer in a defense-in-depth strategy alongside endpoint protection, DNS security monitoring, email filtering, and network segmentation. It excels at reducing attack surface broadly and cheaply, but it cannot catch every threat on its own.

More from DNS security

View all

DNS records explained

DNS record types define how domain names resolve to addresses, route mail, delegate authority, and verify ownership. This reference covers A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, and CAA records along with their security implications.

What is DNS abuse?

DNS abuse is any harmful activity that exploits domain names or the DNS protocol, but defining exactly what qualifies, who should act, and how to respond without causing collateral damage has been one of the most divisive questions in internet governance. This guide covers the competing definitions, the key distinctions that determine appropriate response, and the governance framework that has emerged.

What is DNS security?

DNS security encompasses protecting DNS infrastructure from attacks and using DNS as a control point for threat detection. This guide covers integrity protections like DNSSEC, confidentiality protocols like DoH and DoT, availability defenses, and the role of DNS logging in security operations.

Put what you learn into practice

Monitor typosquats, investigate infrastructure, and move from reading to detection with continuous domain coverage built for security teams.

Start free trialExplore features