Blog

Managed IT Services Security

The Case for DNS Filtering

Every device on your network does the same thing thousands of times a day, and almost nobody thinks about it. Before a laptop loads a website, before an email client fetches an image, before a printer phones home for a firmware update, it asks a question: “What is the address for this domain name?” That question is a DNS lookup, and it happens before any actual connection is made.

That timing detail matters more than most business owners realize. If you can inspect the question before it gets answered, you can stop a bad connection before it ever starts. That is exactly what DNS filtering does, and after 25 years of working in network security, I consider it one of the highest-value, lowest-friction security controls a small business can deploy.

This post walks through what DNS filtering actually is, why it works, and the specific advantages it delivers for a business with 5 to 50 employees. No scare tactics. Just how the technology works and why it earns its place in a security stack.

What DNS Filtering Actually Does

DNS is often called the phone book of the internet. Type a domain name into your browser, and DNS translates it into the numeric IP address computers use to route traffic. Every website visit, every cloud app login, every software update starts with a DNS lookup.

DNS filtering inserts a checkpoint into that process. Instead of sending lookups to your internet provider’s default resolver, your devices send them to a filtering resolver that evaluates every request against threat intelligence and policy rules. If the domain is safe, the lookup resolves normally and nobody notices anything. If the domain is known to host malware, run a phishing kit, or serve as command infrastructure for attackers, the resolver refuses to answer or redirects the user to a block page explaining what happened.

The connection never happens. The malicious server never sees your device. The payload never downloads.

This is not a fringe technique. The NSA and CISA published joint guidance recommending protective DNS services, noting that this approach can significantly reduce the effectiveness of ransomware, phishing, botnet, and malware campaigns by blocking known malicious domains. When the two agencies piloted the concept with defense contractors, the service examined more than 4 billion DNS queries over six months and blocked millions of connections to identified malicious domains. The federal government now requires its civilian agencies to route DNS through a protective resolver. When a control gets mandated at that level, it is because the evidence supports it.

Advantage One: It Stops Threats Before They Reach You

Most security tools are reactive by design. Antivirus scans a file after it lands on the machine. Email filtering evaluates a message after it arrives. Endpoint detection watches for suspicious behavior after code starts running.

DNS filtering is different because of where it sits in the sequence. The DNS lookup is the first observable step in nearly every attack chain. A phishing email is harmless until someone clicks the link, and clicking the link triggers a DNS lookup. Malware that lands on a machine still has to call home to its command server to receive instructions or exfiltrate data, and calling home requires a DNS lookup.

Block the lookup and you break the chain at the earliest possible point. NSA and CISA describe protective DNS as providing defense at multiple points of the attack lifecycle, covering phishing, malware distribution, command and control traffic, and domain generation algorithms. That last item deserves a mention: modern malware often generates thousands of random-looking domain names to find its control server, precisely to evade static blocklists. A good filtering platform recognizes those algorithmically generated domains and blocks them as a class.

There is a practical benefit here that goes beyond prevention. Even when malware does get onto a machine through some other path, DNS filtering can neutralize it. Ransomware that cannot reach its command server often cannot retrieve encryption keys or start encrypting files. A blocked DNS response delays or prevents malicious actions while giving defenders time to investigate using the logged queries. You get a second chance you would not otherwise have.

Advantage Two: Machine Learning Catches Domains No Blocklist Has Seen

The obvious objection to any filtering approach is that blocklists only know about yesterday’s threats. Attackers register new domains constantly, and a phishing site might live for only a few hours before it is abandoned. If your protection depends entirely on someone else finding the threat first, reporting it, and pushing it to a feed, you lose the race more often than you win it.

Modern DNS filtering platforms answer this with real-time analysis. Instead of relying solely on curated lists, the platform’s machine learning models evaluate domains the moment they are queried. The models look at things like how recently the domain was registered, its hosting patterns, its structural similarity to known phishing kits, whether it visually impersonates a legitimate brand, and dozens of other signals. Domains get categorized as threats before a human analyst ever sees them, and often days before they appear on traditional threat feeds.

Newly registered domains deserve special attention here. The overwhelming majority of legitimate business happens on domains that have existed for months or years. A domain registered 45 minutes ago that suddenly starts receiving traffic from your accounting department is not a normal event. A well-configured filtering policy can treat brand-new domains with suspicion by default, either blocking them outright or holding them for evaluation. In practice, this single policy quietly kills a large share of phishing attempts, because attackers depend on fresh domains that have not yet been flagged anywhere.

Advantage Three: Protection Follows the Device, Not the Office

Ten years ago, network security meant securing the office. Everyone sat behind the same firewall, and if you filtered traffic at the perimeter, you covered the whole company.

That model is gone. Your team works from home offices, coffee shops, client sites, and airport lounges. A firewall in your server closet does nothing for a laptop connected to hotel Wi-Fi.

DNS filtering solves this with a lightweight roaming agent installed on each device. The agent ensures every DNS lookup routes through the filtering service regardless of what network the device is on. The same policies, the same threat protection, and the same visibility apply whether an employee is at their desk or at a rest stop on I-4. For a small business without the budget or appetite for a full-blown secure access platform, this is a remarkably efficient way to extend protection to a distributed team.

The agent approach also closes a common gap. Attackers and even some legitimate applications try to bypass local DNS settings by using their own hardcoded resolvers or encrypted DNS channels. NSA and CISA guidance specifically recommends deploying DNS clients that keep protections working across varied environments, and limiting the use of alternative resolvers so devices cannot quietly route around the protection. A managed roaming agent handles both.

Advantage Four: Policy Control Without Playing Network Police

Security is the headline benefit, but content filtering rides along at no extra cost, and it solves real business problems.

Every filtering platform worth using lets you set policies by category. You decide whether streaming video, gambling sites, adult content, or peer-to-peer file sharing belong on company devices, and the policy enforces itself consistently. No awkward conversations, no manually maintained lists, no relying on the honor system.

For businesses in regulated industries, this carries extra weight. A medical or dental practice has obligations around how patient data is handled and what happens on the systems that touch it. A law firm has confidentiality duties that extend to its infrastructure. Being able to demonstrate that company devices are systematically prevented from reaching known-malicious and high-risk destinations is a meaningful, documentable control. It will not satisfy a compliance framework by itself, but it checks boxes that auditors and cyber insurance underwriters increasingly ask about.

The better platforms also support multiple policies for different groups, which means your front desk workstations, your clinical or billing systems, and your leadership laptops can each run rules appropriate to their role. Guest Wi-Fi can run the strictest policy of all, protecting your network reputation without touching guest devices.

Advantage Five: Visibility You Did Not Know You Were Missing

Here is something that surprises nearly every business owner the first time they see it: a report of every domain their network talked to last week.

DNS logs are a goldmine of operational and security insight. They reveal shadow IT, meaning the unapproved file sharing apps and personal cloud accounts employees adopted without telling anyone. They surface misbehaving devices, like the smart TV in the conference room beaconing to servers overseas. They show you which blocked threats were actually attempted, which tells you who on your team is clicking things they should not and where your security awareness training should focus.

From an incident response standpoint, this history is invaluable. If a machine is ever compromised, the DNS log tells you what it talked to, when the activity started, and whether anything else on the network showed the same pattern. Answering those questions without DNS logs takes days of forensic work. With them, it takes minutes.

Advantage Six: The Effort-to-Value Ratio Is Almost Unfair

Most meaningful security improvements come with a real cost in money, disruption, or ongoing management. DNS filtering is the rare exception.

There is no hardware to buy. No appliance in the rack, no capacity planning, no firmware patching. Deployment for an office network is a DNS setting change on your router or firewall, and roaming devices get a small agent pushed through your existing management tools. A typical small business can go from nothing to fully protected in an afternoon, without users noticing anything except the occasional block page.

The performance cost is effectively zero. A well-run filtering resolver answers queries as fast as your ISP’s resolver, and often faster. Employees do not experience the latency or breakage that older web proxy solutions were notorious for.

And the price point fits a small business budget. Per-user monthly costs for DNS filtering are typically a fraction of what endpoint protection costs, which itself is a fraction of what a serious incident costs in downtime and recovery. Few line items in a security budget deliver more protection per dollar.

What DNS Filtering Is Not

I would be doing you a disservice if I pitched this as a complete solution, because no single control is. NSA and CISA are candid about the limits: protective DNS is bypassed by traffic that connects directly to IP addresses without performing a lookup, so it should not be relied on alone to detect and prevent malicious traffic.

DNS filtering does not replace endpoint detection and response, it does not replace email security, it does not replace multi-factor authentication, and it does not replace backups. It is one layer in a defense built from several. What makes it stand out among those layers is the position it occupies: first in line, before any connection exists, on every device, for every request.

The Bottom Line

If your business runs without DNS filtering today, you are allowing every device to resolve every domain on the internet, including the ones registered this morning by people whose entire business model is getting your employees to click. Adding a filtering layer changes that default from “allow everything” to “allow what is safe,” and it does so invisibly, affordably, and without slowing anyone down.

That combination of early interception, machine-driven threat detection, protection for remote workers, policy control, and network visibility is why DNS filtering has become a standard component of every managed security stack we deploy. It will not be the flashiest tool in your security lineup. It will quietly be one of the most effective.

If you want to know what your network has been talking to, that conversation starts with a single DNS setting. It is worth having.

Sources

1. Joint NSA and CISA Guidance on Strengthening Cyber Defense Through Protective DNS (CISA)

2. Selecting a Protective DNS Service, Cybersecurity Information Sheet v1.3 (NSA/CISA)

3. NSA and CISA Release Cybersecurity Information on Protective DNS (NSA)