What is DNS filtering, and why does it matter?

Explainer · 6 min · For Owners

The short version

Every time a device on your network tries to reach a website, email server, or cloud service, it first asks "what's the IP address for that domain?" That question is a DNS lookup. DNS filtering intercepts that lookup and decides whether to answer it. If the destination is on a list of known-malicious or policy-blocked categories, the filter returns a block-page response instead of the real IP — and the malicious connection never happens.

The malicious site doesn't get the chance to load the credential-harvesting form, the ransomware dropper, the cryptojacker, the C2 channel. The attack stops at the front door.

Why it's so effective

Almost every modern attack involves a domain at some point. Phishing pages live on domains. Ransomware command-and-control runs through domains. Credential stuffing scripts callback to domains. Malware updates pull from domains. Block the lookup and you've cut the attacker's network leg out.

Threat-intelligence feeds catalogue new malicious domains within minutes to hours of registration. Business DNS filters subscribe to those feeds and update their block lists in close-to-real-time. The result: the phishing email that lands at 9:14 AM has a malicious link that stops resolving at 9:32 AM, before most of the recipients have clicked.

What it covers

Known-malicious domains — phishing, malware C2, exploit kits, scam infrastructure.
Category-based policy — block adult content, gambling, file-sharing, social media on company devices if you want; allow per role or per device exception.
Newly-registered domains — many attacks use domains registered hours before use. A "block domains less than 30 days old" rule catches a meaningful slice.
Typosquats — mocrosoft.com, paypa1.com, your-bank-com.support. Threat feeds catalogue these.
DNS-tunneling exfiltration — attackers sometimes hide data theft inside DNS queries themselves. Modern filters detect the pattern.

What it doesn't cover

Direct-IP attacks. If an attacker sends malware that connects to a raw IP address (no domain), DNS filtering doesn't see it. Rare for legitimate-looking attacks; common in already-on-endpoint malware.
Encrypted DNS bypass. Browsers and apps can route DNS through HTTPS (DoH) to bypass local DNS resolution. Modern enterprise filters block DoH or enforce policy via an endpoint agent.
Compromise after the connection. Once the connection completes (legitimate site, then malicious behavior), DNS filtering is done; EDR takes over.
Insider threat. A user who's been told what to type still gets through.

Network-only vs. endpoint-agent deployment

Two common deployment patterns:

Network-only

The office network's router or firewall is configured to send DNS queries to the filter. Easy to deploy — one change at the router. Coverage gap: the laptop that goes home or to a coffee shop isn't protected. Adequate for a single-office business with desktops only.

Endpoint-agent

A small agent on every device enforces DNS filtering everywhere — office, home, coffee shop, hotel. Better coverage, slightly more deployment work. The right deployment for any business with laptops or remote workers.

Most modern business DNS filters (NextDNS for business, Cisco Umbrella, DNSFilter, ControlD) support both. The endpoint-agent mode is the standard for laptop fleets in 2026.

How it fits the rest of the stack

DNS filtering is one layer of defense-in-depth:

Email security — catches the phishing email at the gateway.
DNS filtering — catches the phishing link if the user clicks.
Web isolation / browser security — catches the attempted exploit if the site loads.
EDR — catches the malware behavior if anything landed on the device (see what is EDR?).
MFA — catches the credential abuse if a password did leak (see what MFA actually buys you).

Any one of those alone is brittle. Together, they're hard to get past.

Why cyber insurance asks about it

Cyber carriers in 2026 increasingly ask about DNS filtering on the renewal application. It's cheap (a few dollars per device per month), low-friction (no user training, no behavior change), and statistically significant in claims data. A "yes" on DNS filtering moves the needle on the application even if no other change is made.

How a Micro-IT plan covers DNS filtering

Every Micro-IT client environment ships with NextDNS-based DNS filtering on every endpoint via the Managed Endpoint plan. Deployment is the endpoint-agent mode — coverage on the device wherever it goes. The policy is category-tuned per vertical (a clinic has a different default profile than a construction office), and reporting flows into the same monthly review as the rest of the stack. See Managed Endpoint for the included features, or the security page for the eleven-vendor, seven-layer stack.

Frequently asked questions

What is DNS filtering?

DNS filtering intercepts the address-lookup step that happens before any browser, email client, or app connects to a remote server, and blocks the lookup if the destination domain is on a list of known-malicious or policy-blocked categories. The blocked connection never happens — the user sees a block page instead of the malicious site.

Why is DNS filtering effective against phishing?

Almost every phishing attack ultimately involves a link the user clicks. If that link's domain is on a threat-intelligence list of phishing infrastructure (often within hours of the campaign starting), DNS filtering blocks the click silently and the credential-harvesting page never loads. It's not perfect — brand-new phishing domains can sneak through for a few hours — but it stops the long tail.

Does DNS filtering replace antivirus or EDR?

No. DNS filtering blocks the connection to known-bad infrastructure; EDR detects and contains attacks that already landed on the endpoint. They cover different stages of the same kill chain. Both are baseline controls.

What's the difference between business DNS filtering and consumer products like 1.1.1.1 or 8.8.8.8?

Consumer DNS resolvers focus on speed and basic protection (1.1.1.1 for Families adds some category filtering). Business DNS filtering layers in policy controls (block categories per role, allow specific exceptions), reporting (who tried to visit what), threat intelligence specific to business attacks, and per-device enforcement that works on the road. The deployment model is also different — business DNS filtering enforces per device or per network, not per home Wi-Fi.

Can users bypass DNS filtering?

Determined technical users can bypass DNS filtering with VPNs, DNS-over-HTTPS, or by switching their device's DNS settings. The defense is enforcement — using a DNS filter with an endpoint agent (not just a network setting), blocking DoH at the firewall, and pairing DNS filtering with EDR, MDM, and conditional-access policies that detect the bypass.

What is DNS filtering, and why does it matter?

The short version

Why it's so effective

What it covers

What it doesn't cover

Network-only vs. endpoint-agent deployment

Network-only

Endpoint-agent

How it fits the rest of the stack

Why cyber insurance asks about it

How a Micro-IT plan covers DNS filtering

Frequently asked questions

Related reading

Want DNS filtering on every device, everywhere they go? It's standard.

What is DNS filtering, and why does it matter?

The short version

Why it's so effective

What it covers

What it doesn't cover

Network-only vs. endpoint-agent deployment

Network-only

Endpoint-agent

How it fits the rest of the stack

Why cyber insurance asks about it

How a Micro-IT plan covers DNS filtering

Frequently asked questions

Related reading

Want DNS filtering on every device, everywhere they go? It's standard.

Plain-talk IT, in your inbox.