DNS Filtering - Blocking Threats at the DNS Layer
About 2 min read
DNS filtering is a technique that blocks access to malicious sites and inappropriate content at the DNS query stage, where a device resolves a domain name into an IP address. Because it blocks at the earliest possible point, before the browser opens the URL, it can preemptively prevent connections to phishing sites and malware distribution sites. Its greatest advantage is its simplicity: there is no need to install software on endpoints, and it can be applied to an entire organization or network simply by changing the DNS server settings.
How DNS Sinkholes Work
The core technology of DNS filtering is the DNS sinkhole. In normal DNS resolution, the correct IP address is returned in response to a client query, but a sinkhole intentionally returns an invalid IP address or the IP of a block page for domains targeted for blocking.
Resolve example.com
Blocklist match
Return 0.0.0.0
Resolve safe-site.com
Allowlist pass
Return the legitimate IP
The list of domains to block is updated automatically from threat intelligence feeds and community-maintained blocklists. With a self-hosted DNS sinkhole such as Pi-hole, you can add an ad-domain blocklist so that it also functions as a network-wide ad blocker.
Major DNS Filtering Services
| Service | Features | DNS address |
|---|---|---|
| Cloudflare 1.1.1.1 for Families | Two tiers: malware blocking (1.1.1.2) and adult-content blocking (1.1.1.3) | 1.1.1.2 / 1.1.1.3 |
| OpenDNS (Cisco Umbrella) | Detailed category filtering for enterprises. A free Family Shield is available | 208.67.222.123 |
| NextDNS | Fine-grained customization of blocklists. Free for up to 300,000 queries per month | Based on a custom ID |
| Pi-hole (self-hosted) | Run at home on a Raspberry Pi or similar. Also supports ad blocking | IP on the home LAN |
Blocking Phishing and Malware Sites
DNS filtering is especially effective at blocking phishing sites and malware distribution sites. Even if a user clicks a malicious link contained in an email, it is blocked at the DNS stage, so it can be cut off before the browser connects to the site. Whereas a firewall controls communication by IP address and port number, an operational strength of DNS filtering is that it can control by domain name, a unit that is easy for humans to understand.
However, it is ineffective if an attacker specifies an IP address directly without using a domain, or if the device is configured to bypass DNS filtering. Defense in depth combined with a firewall and endpoint security is essential. Please also refer to the article on phishing protection.
Use in Children's Internet Safety
DNS filtering is also widely used as a means of making children's internet use safer at home. Simply by changing the router's DNS settings to Cloudflare 1.1.1.3 or OpenDNS Family Shield, you can restrict access to adult content and violent sites on every device connected to the network. It eliminates the hassle of installing parental control software on each device, and another benefit is that it is difficult for children to disable the setting. The article on children's internet safety explains the specific setup steps.
Relationship with DNS over HTTPS
DNS over HTTPS (DoH) is a technique that encrypts DNS queries with HTTPS. It is effective for protecting privacy, but there is tension between it and DNS filtering. This is because when a browser uses its own DoH resolver (for example, Cloudflare 1.1.1.1), the DNS filtering configured by the network administrator ends up being bypassed.
To address this problem, services such as NextDNS and Cloudflare Gateway offer DoH-capable DNS filtering. They can apply filtering even to encrypted DNS queries, achieving both privacy and security. In enterprise environments, it is common practice to use group policy to pin the DoH destination to the organization's DNS filter. The article on public Wi-Fi security also touches on DNS protection while away from home.
Common Misconceptions
It is dangerous to think that "installing DNS filtering makes you safe." DNS filtering is merely one layer of defense in depth and offers no resistance to DNS spoofing. Moreover, newly created malicious domains not yet registered in the blocklist pass straight through. For real-time threat detection, it must be combined with EDR and a next-generation firewall.
network security books on Amazon as well.
Was this article helpful?