Filtering DNS to Improve Security

Filtering DNS to Improve Security
Let me tell you about one of my favorite “set it and forget it” security tools — something that works quietly in the background protecting you around the clock, and that most people have never even heard of. I’m talking about DNS filtering, and once you understand what it does, you’re going to wonder why you haven’t had it running already.
So What Exactly Is DNS?
Every time you click a link or type a web address, your device sends out a little question to the internet: “Hey, where does this address actually live?” That lookup system is called DNS — think of it as the internet’s phone book. It translates human-readable addresses like “yourbank.com” into the actual numerical addresses computers use to find each other.
DNS filtering puts a smart checkpoint in front of that process. Before your device even connects to a website, the filter checks the destination against a constantly updated list of known bad actors — malware sites, phishing pages, ransomware command centers, and more. If it’s on the list, the connection gets blocked before anything bad can happen.
No connection. No payload. No damage.
Why This Matters More Than You Think
Here’s the thing most people miss: a lot of attacks never touch your device directly. They work by tricking your device into calling home — reaching out to a remote server to download malware, get encryption keys, or hand over your data. DNS filtering cuts that phone line before the call goes through.
That means even if someone on your network clicks a bad link — and eventually, someone will — the filter can stop the attack in its tracks before it does any real damage.
Here’s what it protects you against:
• Ransomware — blocks the command-and-control servers ransomware needs to encrypt your files
• Phishing sites — stops lookalike login pages before they ever load on screen
• Malware downloads — prevents connections to known malware distribution points
• Data exfiltration — catches malware trying to sneak your data out through DNS
• Trackers and ad networks — keeps advertisers from quietly building profiles on your browsing habits
• Inappropriate content — lets you set category-based rules for your home or business network
What About Ransomware Specifically?
I want to spend a moment here because ransomware is the threat I get asked about most — and DNS filtering is genuinely one of the best early defenses against it.
Ransomware doesn’t work alone. Once it’s on your device, it needs to reach out to the attacker’s server to get the encryption keys it uses to lock up your files. No connection, no keys. No keys, no ransomware attack.
DNS filtering is like cutting the criminal’s phone line before he can call his boss for instructions. It’s not the only defense you need, but it’s a powerful one — and it works even when the user has already made a mistake and clicked something they shouldn’t have.
Which Service Should You Use?
For home users and families: OpenDNS is my go-to recommendation. There’s a free tier that gives you solid malware and content filtering with very little setup. It’s been around forever, it’s reliable, and it works.
For small and mid-size businesses: Cisco Umbrella is the enterprise-grade version of OpenDNS — same company, much more horsepower. It’s what I use for my computers and for our customers. You get detailed logging, policy controls, roaming protection for laptops that leave the office, and integration with your other security tools. If you’re running a business, this is where I’d point you.
Setting It Up
For most home setups, you can have this running in about ten minutes:
1. Log into your router’s admin panel (usually by typing 192.168.1.1 in your browser)
2. Find the DNS settings — usually under WAN, Internet, or Network settings
3. Replace the existing DNS addresses with the ones from OpenDNS or your chosen provider
4. Save the settings and reboot the router
Every device on your network — phones, laptops, tablets, smart TVs, everything — automatically goes through the filter from that point on. No software to install on individual devices.
Businesses will want to look at the roaming client option so the protection follows your people when they’re working from coffee shops, hotels, or home.
Your DNS Filtering Checklist
Print this out and stick it on the wall:
• [ ] Choose a DNS filtering provider (OpenDNS for home, Cisco Umbrella for business)
• [ ] Log into your router and update the DNS server addresses
• [ ] Enable malware and phishing protection categories at minimum
• [ ] If you have kids at home, enable content filtering categories too
• [ ] For businesses: deploy the roaming client for off-network devices
• [ ] Verify the filter is working by visiting dnsleaktest.com
• [ ] Check your filter’s logs monthly — you’ll be surprised what it’s catching
• [ ] Review and update your category blocking settings every 6 months
One Important Note
DNS filtering is a layer — a really good one — but it’s not the whole picture. It won’t stop every threat, and attackers are always looking for ways around it. You still need solid endpoint protection, email security, regular patching, and — I can’t stress this enough — user training.
But as a first line of defense that runs silently in the background, costs little or nothing to set up, and protects every device on your network automatically? DNS filtering absolutely earns its place.
Give it a shot. And as always, if you’ve got questions, drop me a line or shoot me an email. Stay safe out there.
— Craig