DNS Filtering: Protecting Your Network from Malicious Websites
DNS filtering blocks access to dangerous websites before they can load. It’s one of the simplest and most effective security layers you can add to your network, and it works for businesses of any size.
How DNS Filtering Works
Every time you visit a website, your device first asks a DNS server to translate the domain name (like google.com) into an IP address. DNS filtering intercepts this step. If the requested domain is on a blocklist of known malicious sites, the request gets blocked before your browser ever connects.
This stops threats at the network level:
- Phishing sites that mimic banks, email providers, or business services
- Malware distribution sites that deliver ransomware, trojans, or spyware
- Command-and-control servers that compromised devices phone home to
- Botnet infrastructure used to coordinate attacks
Options for Your Business
OpenDNS (Free Tier)
Good for home users and very small businesses.
- Free to use with minimal setup
- Blocks known malicious domains
- Optional content filtering (parental controls)
- Faster DNS resolution can improve browsing speed
- Setup: Change your router’s DNS settings to OpenDNS servers (208.67.222.222 and 208.67.220.220)
Cisco Umbrella (Business)
Enterprise-grade DNS security built on OpenDNS infrastructure.
- Advanced threat intelligence with real-time updates
- Cloud-managed – no hardware to install or maintain
- Global network for fast resolution regardless of location
- Integrates with existing security tools (SIEM, firewalls, endpoint protection)
- Reporting and analytics for visibility into DNS activity
- Protects off-network devices (remote workers)
Other Options
- Cloudflare Gateway – part of Cloudflare Zero Trust, free tier available
- NextDNS – configurable filtering with privacy focus
- Pi-hole – self-hosted, open-source DNS filtering (good for technical teams)
Setting Up DNS Filtering
Basic Setup (Any Provider)
- Choose your DNS filtering provider
- Create an account and configure your filtering policies
- Update your router’s DNS server settings to point to the provider’s servers
- Test by trying to access a known test page (most providers offer one)
- Verify all devices on the network are using the new DNS settings
For Businesses
- [ ] Configure DNS filtering at the router/firewall level so it covers all devices
- [ ] Block categories relevant to your risk profile (malware, phishing, newly registered domains)
- [ ] Set up logging to track blocked requests and identify compromised devices
- [ ] Configure alerts for high volumes of blocked requests from a single device (may indicate malware)
- [ ] Ensure remote/VPN users are also covered by your DNS filtering
DNS Filtering Is One Layer
DNS filtering is effective but it’s not a complete security solution. Combine it with:
- [ ] Email security – anti-phishing and attachment scanning
- [ ] Endpoint protection – EDR/antivirus on all devices
- [ ] MFA – on all accounts
- [ ] Software updates – patch everything regularly
- [ ] Employee training – teach people to recognize threats
- [ ] Regular security audits – find gaps before attackers do
Quick Start Checklist
- [ ] Choose a DNS filtering solution appropriate for your size
- [ ] Configure it at the network level (router/firewall)
- [ ] Block malware, phishing, and botnet categories at minimum
- [ ] Enable logging and review it weekly
- [ ] Test that filtering is working (try accessing a test block page)
- [ ] Ensure coverage extends to remote workers
- [ ] Document DNS settings and share with IT staff
- [ ] Review and update filtering policies quarterly