Explainer · 6 min · For Owners

The short version

Every time a device on your network tries to reach a website, email server, or cloud service, it first asks "what's the IP address for that domain?" That question is a DNS lookup. DNS filtering intercepts that lookup and decides whether to answer it. If the destination is on a list of known-malicious or policy-blocked categories, the filter returns a block-page response instead of the real IP — and the malicious connection never happens.

The malicious site doesn't get the chance to load the credential-harvesting form, the ransomware dropper, the cryptojacker, the C2 channel. The attack stops at the front door.

Why it's so effective

Almost every modern attack involves a domain at some point. Phishing pages live on domains. Ransomware command-and-control runs through domains. Credential stuffing scripts callback to domains. Malware updates pull from domains. Block the lookup and you've cut the attacker's network leg out.

Threat-intelligence feeds catalogue new malicious domains within minutes to hours of registration. Business DNS filters subscribe to those feeds and update their block lists in close-to-real-time. The result: the phishing email that lands at 9:14 AM has a malicious link that stops resolving at 9:32 AM, before most of the recipients have clicked.

What it covers

What it doesn't cover

Network-only vs. endpoint-agent deployment

Two common deployment patterns:

Network-only

The office network's router or firewall is configured to send DNS queries to the filter. Easy to deploy — one change at the router. Coverage gap: the laptop that goes home or to a coffee shop isn't protected. Adequate for a single-office business with desktops only.

Endpoint-agent

A small agent on every device enforces DNS filtering everywhere — office, home, coffee shop, hotel. Better coverage, slightly more deployment work. The right deployment for any business with laptops or remote workers.

Most modern business DNS filters (NextDNS for business, Cisco Umbrella, DNSFilter, ControlD) support both. The endpoint-agent mode is the standard for laptop fleets in 2026.

How it fits the rest of the stack

DNS filtering is one layer of defense-in-depth:

Any one of those alone is brittle. Together, they're hard to get past.

Why cyber insurance asks about it

Cyber carriers in 2026 increasingly ask about DNS filtering on the renewal application. It's cheap (a few dollars per device per month), low-friction (no user training, no behavior change), and statistically significant in claims data. A "yes" on DNS filtering moves the needle on the application even if no other change is made.

How a Micro-IT plan covers DNS filtering

Every Micro-IT client environment ships with NextDNS-based DNS filtering on every endpoint via the Managed Endpoint plan. Deployment is the endpoint-agent mode — coverage on the device wherever it goes. The policy is category-tuned per vertical (a clinic has a different default profile than a construction office), and reporting flows into the same monthly review as the rest of the stack. See Managed Endpoint for the included features, or the security page for the eleven-vendor, seven-layer stack.

How DNS filtering works, step by step

The mechanics are simple once you follow the path of a single request.

  1. The device asks for a domain. You click a link or an app reaches out. Before any data moves, the device asks a recursive resolver: "what is the IP address for this domain?"
  2. The filtering resolver checks the domain. Instead of a plain resolver, the request goes to a filtering resolver. It compares the domain against threat-intelligence feeds (known phishing, malware, and command-and-control infrastructure) and against your category policy (adult content, gambling, file-sharing, and so on).
  3. The resolver decides. If the domain is clean and allowed, it returns the real IP address and the connection proceeds normally. If the domain is malicious or blocked by policy, it refuses or sinkholes the answer — pointing the device to a harmless address — or returns the IP of a block page that tells the user why the site was stopped.

All of this happens in the lookup step, before the browser opens a single connection to the destination. That is why DNS filtering stops an attack at the front door rather than cleaning up after it. Implementing it means pointing your devices at a filtering resolver and setting the policy — the decision logic lives at the resolver, not on each machine.

DNS filtering vs. web and URL filtering

These controls work at different layers, and the names get used loosely. The short version: DNS filtering decides whether a connection is allowed to open at all; web and URL filtering inspect what travels over a connection once it is open.

They are not competitors. DNS filtering is the cheap, broad first layer that stops most known-bad domains for every device. URL filtering is the precise second layer for businesses that need page-level control or content inspection. Many environments run both: DNS filtering everywhere, URL filtering where the extra granularity earns its cost.

Rolling it out (and why it won't slow you down)

Enabling DNS filtering is a small project, not a migration. The practical steps:

  1. Choose a filtering resolver. A business DNS filtering service (NextDNS for business, Cisco Umbrella, DNSFilter, ControlD) gives you threat intelligence, category policy, and reporting.
  2. Point your DNS to it. Network-only deployment changes one setting at the router or firewall. Endpoint-agent deployment installs a small agent on each device so the policy follows laptops off the office network.
  3. Set category policy. Start with malicious and high-risk categories blocked for everyone, then tune by role or device.
  4. Plan for false positives. A legitimate site will occasionally land in a blocked category. An allowlist and a clear way for users to request an exception keeps this from becoming friction.

Does DNS filtering slow down your internet? No. It does not touch bandwidth — it only answers the address-lookup question, which is tiny. In practice it can make browsing feel faster, because the filtering resolver caches answers: once any device looks up a domain, the next lookup is near-instant. The added security comes with no real performance cost.

Frequently asked questions

What is DNS filtering?
DNS filtering intercepts the address-lookup step that happens before any browser, email client, or app connects to a remote server, and blocks the lookup if the destination domain is on a list of known-malicious or policy-blocked categories. The blocked connection never happens — the user sees a block page instead of the malicious site.
Why is DNS filtering effective against phishing?
Almost every phishing attack ultimately involves a link the user clicks. If that link's domain is on a threat-intelligence list of phishing infrastructure (often within hours of the campaign starting), DNS filtering blocks the click silently and the credential-harvesting page never loads. It's not perfect — brand-new phishing domains can sneak through for a few hours — but it stops the long tail.
Does DNS filtering replace antivirus or EDR?
No. DNS filtering blocks the connection to known-bad infrastructure; EDR detects and contains attacks that already landed on the endpoint. They cover different stages of the same kill chain. Both are baseline controls.
What's the difference between business DNS filtering and consumer products like 1.1.1.1 or 8.8.8.8?
Consumer DNS resolvers focus on speed and basic protection (1.1.1.1 for Families adds some category filtering). Business DNS filtering layers in policy controls (block categories per role, allow specific exceptions), reporting (who tried to visit what), threat intelligence specific to business attacks, and per-device enforcement that works on the road. The deployment model is also different — business DNS filtering enforces per device or per network, not per home Wi-Fi.
Can users bypass DNS filtering?
Determined technical users can bypass DNS filtering with VPNs, DNS-over-HTTPS, or by switching their device's DNS settings. The defense is enforcement — using a DNS filter with an endpoint agent (not just a network setting), blocking DoH at the firewall, and pairing DNS filtering with EDR, MDM, and conditional-access policies that detect the bypass.
How does DNS filtering work?
When a device wants to reach a domain, it first asks a recursive resolver for that domain's IP address. With DNS filtering, the request goes to a filtering resolver that checks the domain against threat-intelligence feeds and your category policy. If the domain is clean and allowed, it returns the real IP and the connection proceeds. If it's malicious or blocked, the resolver refuses or sinkholes the answer, or returns a block page. All of this happens before the browser opens a connection.
Is DNS filtering worth it for a small business?
Yes. DNS filtering is one of the highest-leverage controls a small business can add. It's a few dollars per device per month, needs no user training, and blocks the malicious-link step that most phishing and malware attacks rely on. Cyber insurers ask about it on renewal applications, and answering "yes" can move the needle even if nothing else changes. For most small businesses the cost is small and the coverage is broad.
What's the difference between DNS filtering and web or URL filtering?
DNS filtering blocks at the domain level. It acts on the address lookup, so it's fast and lightweight and catches the connection before it opens, but it doesn't see the full URL path or page contents. Web and URL filtering (including "advanced URL filtering") use a proxy in the traffic path to inspect the full path and page content, which is more granular but heavier to run. They complement each other: DNS filtering is the broad first layer for every device; URL filtering adds page-level control where you need it.
Will DNS filtering slow down my internet?
No. DNS filtering doesn't touch bandwidth — it only answers the small address-lookup question, then the connection proceeds normally. In practice it can make browsing feel faster, because the filtering resolver caches answers: once any device looks up a domain, the next lookup is near-instant. The added security comes with no real performance cost.

Related reading