The problem this solves
Every device your team uses — the desktop in the office, the laptop at a home kitchen table, the phone on hotel Wi-Fi — reaches out to domains all day. Some of those domains are phishing pages, malware command-and-control, or scam infrastructure. The cheapest place to stop a connection to one of them is at the domain-lookup step, before anything loads. That control is DNS filtering.
This guide is about choosing a service, not explaining the mechanism. If you want the plain-English version of what DNS filtering is and how it works, read the companion explainer: What is DNS filtering, and why does it matter? Here we assume you already know the basics and want to know what to buy, what to look for, and whether to run it yourself or have it managed.
What a business DNS filtering service should do
Most products will resolve clean domains and block known-bad ones. That is table stakes. The features that separate a real business service from a hobbyist resolver are these:
- Roaming, off-network coverage. A lightweight agent on every laptop so the policy follows the device to home, the coffee shop, and the airport — not just inside the office.
- Quality threat intelligence. Feeds that catalogue new malicious and newly-registered domains within minutes to hours, plus classification that performs well on fresh domains rather than waiting days for a list to update.
- Category policy by role. Block high-risk and unwanted categories for everyone, then loosen or tighten by team or device without rebuilding from scratch.
- Reporting and audit logs. A readable record of what was blocked, for whom, and when — useful for tuning, for incident review, and for cyber insurance questions.
- Microsoft 365 and identity integration. Tying policy and reporting to user identity rather than just an IP address, so a person's coverage moves with them.
- A clear block page. When a site is stopped, the user sees a plain explanation and a way to ask for review — not a confusing browser error.
- An allowlist workflow. A simple, fast path to clear a false positive so a legitimate site does not become a support fire drill.
DIY vs. managed DNS filtering
The simplest do-it-yourself option is pointing your router at a public resolver such as 1.1.1.1, Quad9, or OpenDNS. That adds a thin layer of protection, and for a home it is fine. For a business it is not a managed control. There is no per-role policy, no per-device reporting, no coverage for the laptop that leaves the building, and no one watching what gets blocked or clearing the false positives.
Even a paid business service bought on its own is only half the job. A console does not deploy itself to every endpoint, set sensible category policy, read the weekly reports, or notice when a blocked domain is actually a vendor your accounting team needs. Someone has to own those tasks. In a small business that someone usually does not exist, so the tool gets installed, half-configured, and forgotten.
That is why a managed approach fits small businesses. The provider handles deployment to every device, sets and tunes the policy, monitors the reports, and clears exceptions — so you get the outcome, not a login you never use. The cost is rolled into a predictable per-device plan instead of a separate bill plus the labor it implies.
How to evaluate providers
The landscape has a handful of credible enterprise-grade resolvers. The common names are Cisco Umbrella, DNSFilter, and NextDNS. All three can block malicious domains and apply category policy; what actually differentiates them for a small business is narrower.
- Roaming agent. Confirm there is a real endpoint agent for Windows, macOS, iOS, and Android, so coverage follows laptops and phones off the network. DNSFilter and NextDNS both offer lightweight roaming clients.
- Microsoft 365 / identity integration. Check whether policy and reporting can be tied to identity, not just network location.
- Reporting and support. Readable reports and responsive support matter more day to day than a long feature list.
- Price per seat. DNSFilter publishes transparent per-user pricing in the range of roughly $1 to a few dollars per user per month by tier. NextDNS uses a flat annual fee per account rather than per-seat billing. Cisco Umbrella is capable but does not publish list pricing and is sold through quotes, with third-party estimates placing entry tiers higher per user and aimed at larger buyers.
None of these is wrong. For a small business, DNSFilter and NextDNS tend to be the cleaner fit on price and simplicity; Umbrella suits organizations already standardized on Cisco. Verify current pricing and features on each vendor's own page before deciding — this market changes.
How Micro-IT delivers DNS filtering
We do not sell DNS filtering as a standalone line item. It is part of the managed stack — on every endpoint, on or off the network, via a roaming agent — included in the Managed Endpoint plan at $79 per device per month. We build it on DNSFilter and NextDNS, set category policy by role and vertical, and the team tunes and monitors it alongside the rest of the controls. Reporting lands in the same review as everything else, so blocked-domain trends are something we watch, not something you have to.
That endpoint plan sits next to Managed Inbox ($20 per mailbox) and Managed Site ($149+ per site), and it is backed by a 24/7 SOC, enforced MFA, EDR on every device, and immutable backups. Because DNS filtering is bundled, there is no separate per-seat DNS price to quote — for a number that fits your fleet, see our plans or call 270.816.5726. If you would rather start with where your gaps are, the free risk check is a good first step.