Hey folks!
I get asked about DNS filtering at least once a week, and I hear the same concerns every time: “Craig, isn’t my antivirus enough?” or “Sounds complicated — I don’t have time for that.”
Here’s the thing most people miss: DNS filtering is one of the easiest, most effective layers of protection you can add to your network. And yes, I said layers — because relying on just one security tool is like locking your front door but leaving all your windows wide open.
Let me explain what DNS filtering actually does, bust some common myths I hear all the time, and show you how to get it set up in minutes, not hours.
Think of DNS (Domain Name System) as the internet’s phone book. When you type “amazon.com” into your browser, DNS translates that into the actual IP address (like 205.251.242.103) that computers use to communicate. Thank goodness we don’t have to memorize those numbers — passwords are hard enough to remember as it is!
DNS filtering sits at this translation layer and acts as a bouncer. Before your computer connects to a website, the DNS filter checks: “Is this site safe? Is it on the company’s blocked list?” If the answer is no, you get a block page instead of malware, ransomware, or that rabbit hole of cat videos.
The beauty is this all happens in milliseconds, before any data is transferred. It’s fast, efficient, and catches threats at the door.
Here’s the practical reality of what a good DNS filter stops:
Malware and ransomware sites — Blocks access to known malicious domains before your computer can download anything dangerous. I’ve seen businesses saved from CryptoLocker infections dozens of times just because their DNS filter caught it first.
Phishing attacks — Stops employees from accidentally landing on fake Microsoft or bank login pages designed to steal credentials.
Botnets and command-and-control servers — Prevents infected devices from calling home to attackers. Even if something sneaks onto your network, it can’t communicate out.
Inappropriate or time-wasting sites — Keeps employees off gambling, adult content, streaming services, and social media (if that’s your policy). This isn’t about being the office police — it’s about protecting productivity and your business from liability.
Copyright infringement risks — If someone’s torrenting movies from your IP address, guess who gets the lawsuit? Your business. DNS filtering can block file-sharing sites before they become a legal headache.
Bandwidth hogs — Netflix and YouTube can chew through your internet connection. Sometimes you need to block them just to keep your VoIP phones working.
I hear this one a lot, and here’s what I always say: antivirus is critical, but it’s not enough.
First, antivirus only catches known threats. New malware variants appear constantly, and there’s always a window where your antivirus doesn’t recognize them yet.
Second, users turn off antivirus. I’ve seen it hundreds of times. Someone in accounting thinks it’s slowing down their computer, so they disable it. Or an executive needs to install something sketchy, and they click right through the warnings. You can’t always stop this with Group Policy — especially when the culprits are the bosses.
Third, antivirus can’t filter content that isn’t infected. It won’t stop employees from wasting hours on Facebook or downloading pirated software that gets your IP blacklisted.
DNS filtering catches threats before they reach your computers. It’s another layer, and layers matter. As I always say: One door left unlocked makes all the other locks pointless.
Not even close.
DNS filtering works in three simple steps:
That’s it. Once you get the IP address, DNS is done — it’s not tracking everything you do on that site. It’s just the gatekeeper at the front door.
For most small businesses, setup is literally changing two settings in your router: pointing your primary and secondary DNS servers to a filtering service. I’m talking minutes, not days.
Yeah, some will try. You always have that one guy who thinks he’s smarter than IT because he can Google “how to change my DNS settings.”
But here’s what you can do: set firewall rules that block DNS requests to anything except your approved filtering service. Lock down port 53 (the DNS port) so only your legitimate DNS servers can use it. If your firewall allows it, block traffic to known proxy sites and VPN services.
Will this stop everyone? No. A truly determined user with admin rights on their computer can probably get around it. But that’s where endpoint monitoring and acceptable use policies come in. You’re creating layers of protection and documentation. If someone goes out of their way to bypass security, you’ve got a personnel problem, not just a technical one.
This is one of those things that sounds harder than it is.
For a basic setup, you’re making one configuration change in your router or DHCP server. You point your DNS settings to your filtering service, set your policies in a web dashboard, and you’re done.
On a typical small business network, I can have this running in under 15 minutes. No software to install on every computer. No complicated agent deployments. Just change the DNS servers and let the cloud service do the heavy lifting.
The hard part isn’t the technology — it’s deciding what to block and communicating your internet usage policy to employees.
I’ve tested a lot of DNS filtering services over the years, and my go-to recommendation is Cisco Umbrella (formerly OpenDNS).
Here’s why it earns its place:
Cloud-based — No servers to maintain, no software to install. Just point your DNS settings to Umbrella’s servers and you’re protected.
Fast — Umbrella resolves DNS queries faster than most ISP-provided DNS servers. You actually get better performance, not worse.
Comprehensive threat intelligence — Umbrella blocks access to over 20 million risky domains and updates constantly as new threats emerge.
Granular control — You can create different policies for different groups. Maybe your IT team needs open access, but everyone else is restricted. Easy to set up.
Roaming protection — Install the lightweight agent on laptops and your employees stay protected even when they’re working from home or at Starbucks.
Active Directory integration — If you have a Windows domain, Umbrella can give you per-user reporting so you know exactly who’s trying to access what.
Reporting — Over 50 pre-built reports showing blocked threats, attempted visits to inappropriate sites, and top bandwidth users.
Home users: Umbrella has a free tier (Cisco Umbrella Home) that’s great for protecting your family. Just change your router’s DNS settings to their servers.
Small businesses: The paid plans start around $2-3 per user per month. For that price, you get enterprise-level protection without enterprise-level complexity.
Larger organizations: Umbrella scales beautifully and integrates with Active Directory, SIEM tools, and other security platforms.
Look, I always tell people what a tool won’t do, not just what it will. DNS filtering is powerful, but it’s not magic:
It won’t catch everything — Encrypted traffic (HTTPS) means DNS can only see the domain name, not the specific page. If “example.com” is clean but “example.com/malware” isn’t, DNS filtering might let it through.
It won’t replace antivirus — You still need endpoint protection. DNS filtering is a layer, not the whole solution.
It won’t give you deep visibility — DNS logging shows attempted connections, not what users actually did on allowed sites or how long they stayed. For that level of detail, you need a full web proxy.
It won’t stop determined insiders — If someone has admin rights on their computer and really wants to bypass your filters, they probably can. This is where employee policies and endpoint monitoring come in.
It won’t protect against all phishing — If attackers use a brand-new domain that hasn’t been categorized yet, DNS filtering might not catch it. Train your users to recognize phishing attempts — technology alone isn’t enough.
Here’s what you can do today to get started:
DNS filtering is one of the easiest, most cost-effective security layers you can add. It’s not perfect, but nothing is. The goal is to make it harder for threats to get in and easier for you to spot problems before they become disasters.
If you’ve been putting off DNS filtering because it seemed complicated or expensive, I hope I’ve convinced you otherwise. This is low-hanging fruit in the security world — grab it.
Got questions about DNS filtering or need help setting it up? Drop me a line or shoot me an email. I’m always happy to help.
Stay safe out there.
— Craig
Join thousands of security professionals who receive Craig Peterson's Insider Show Notes and cybersecurity updates.
Tagged with: