Table of Contents
- Why Your Business Needs DNS Filtering
- What DNS Filtering Blocks
- How DNS Filtering Fits Into a Layered Security Stack
- Visibility and Reporting
- Deployment and Management Considerations
- Get Started with Stratify IT
- Frequently Asked Questions
- 1. Does DNS filtering work if employees are using a VPN or a mobile hotspot instead of the company network?
- 2. Can DNS filtering cause false positives that block legitimate websites?
- 3. How does DNS filtering interact with encrypted DNS protocols like DNS-over-HTTPS?
- 4. Is DNS filtering sufficient on its own, or does it need to be paired with other tools?
- 5. What happens to DNS filter logs, and are they useful for anything beyond blocking threats?
- 6. How long does it take to deploy DNS filtering across an existing network?
Why Your Business Needs DNS Filtering
Every time a user on your network visits a website, their device first sends a DNS query — a request to translate a domain name like example.com into an IP address. That lookup happens before the page loads, before any file downloads, before any connection is established. DNS filtering intercepts that query and checks the requested domain against a blocklist of known malicious, phishing, and malware-hosting sites. If the domain is flagged, the connection is blocked before it ever reaches the user's browser.
That pre-connection intercept is what makes DNS filtering different from most other security controls. Endpoint detection and response (EDR) tools catch threats after a file lands on a device. Email filters block malicious attachments before they reach inboxes. DNS filtering blocks the underlying network request itself — stopping drive-by downloads, command-and-control callbacks, and phishing pages before any code executes or any credential is entered.
What DNS Filtering Blocks
Phishing Sites
Phishing campaigns increasingly rely on newly registered domains that have no history with traditional reputation engines. DNS filtering platforms — including tools like Cisco Umbrella and Cloudflare Gateway — use machine learning to analyze domain registration patterns, query volume anomalies, and WHOIS data to flag suspicious domains within hours of registration. A link in a phishing email that passes email filtering may still be caught at the DNS layer when a user clicks it.
Malware Distribution and Command-and-Control
Malware infections typically require two DNS events: an initial download from a hosting domain, and ongoing callbacks to a command-and-control (C2) server. Blocking either disrupts the attack chain. DNS filtering cuts off C2 communication even when malware is already on a device — limiting what an attacker can do and buying time for remediation. Cisco research has consistently found that the vast majority of malware uses DNS at some point during an attack.
Ransomware Staging
Ransomware operators frequently use DNS to locate file servers, propagate laterally, and exfiltrate data before encrypting. DNS filtering configured to block known ransomware infrastructure — combined with alerts when internal devices attempt to resolve suspicious domains — gives security teams an early warning that something is wrong before files are locked.
Inappropriate and Off-Policy Web Access
Beyond threat blocking, DNS filtering enforces web access policies by category: social media, gambling, adult content, peer-to-peer file sharing, and other categories can be restricted across all devices on the network, including mobile devices using company Wi-Fi or VPN. This is particularly relevant for organizations with compliance obligations around acceptable use or data handling.
How DNS Filtering Fits Into a Layered Security Stack
No single security tool stops every attack. DNS filtering is most effective as part of a layered stack alongside endpoint protection, email filtering, and MFA — each tool covering gaps the others leave open.
Consider a common attack path: a credential-harvesting email gets through email filters (happens regularly with lookalike domains), the user clicks the link, and their browser attempts to load a phishing page. At that point, endpoint protection hasn't been triggered because no file has downloaded yet. DNS filtering is the control that catches the domain lookup and prevents the page from loading.
The same logic applies to shadow IT. Employees accessing unauthorized cloud storage, personal email, or file-sharing services create data loss exposure that EDR tools don't directly address. DNS filtering lets IT teams see what domains are being resolved across the network and enforce policy on that traffic.
Visibility and Reporting
DNS filtering generates a log of every domain query made on your network — resolved or blocked. That data has security value beyond enforcement. Security teams can identify devices attempting to reach known bad domains, spot unusual query patterns that indicate compromise, and correlate DNS activity with other log sources during incident investigations.
For organizations subject to HIPAA, CMMC, or SOC 2, DNS logs also contribute to the audit trail demonstrating that access controls and monitoring are in place. Blocked query reports document policy enforcement over time in a format that maps to several compliance framework requirements.
Deployment and Management Considerations
Cloud-based DNS filtering (as opposed to on-premises DNS appliances) deploys in hours rather than weeks. Configuration typically involves pointing your network's DNS resolver to the filtering provider, then setting policies through a web-based dashboard. Most enterprise-grade platforms — including Cisco Umbrella, Palo Alto DNS Security, and Cloudflare Gateway — integrate with existing directory services like Active Directory, enabling user-level policy enforcement and per-user reporting.
For distributed teams and remote workers, agent-based clients extend DNS filtering to devices connecting from outside the corporate network. This matters because remote employees working from home or coffee shops bypass traditional network perimeter controls entirely — DNS filtering on the device itself maintains consistent enforcement regardless of where a user connects.
Ongoing management involves reviewing blocked-domain logs for false positives, updating policy categories as your organization's needs change, and tuning threat intelligence feeds. A managed IT provider handles that ongoing administration as part of your security stack — so the tool stays calibrated rather than sitting at default settings after initial deployment.
Get Started with Stratify IT
Stratify IT deploys and manages DNS filtering as part of a layered cybersecurity stack for businesses in New York City and the surrounding region. Our security implementations include DNS filtering alongside EDR, email filtering, SIEM log monitoring, and MFA enforcement — configured to work together rather than as disconnected point solutions.
DNS filtering is one component of our strategic security services — deployed alongside EDR, email filtering, SIEM monitoring, and MFA as a coordinated stack rather than a standalone tool. For more on the SMB threat landscape DNS filtering is designed to address — including ransomware staging, phishing delivery, and malware callbacks — the broader context is covered separately. Contact Stratify IT to discuss your current security stack and where DNS filtering fits into your environment.
Frequently Asked Questions
It depends on how the DNS filtering is deployed. If your organization uses an agent-based solution like Cisco Umbrella's roaming client, filtering follows the device regardless of network. Pure network-level DNS filtering — where you simply point your router to a filtered DNS resolver — only works on-network. With remote work being the norm for most companies, agent-based deployment is worth the added complexity.
Yes, and it happens more often than vendors like to admit. Newly launched business websites, obscure software update servers, and domains that briefly shared infrastructure with a bad actor can all get flagged. Most platforms let you whitelist specific domains to resolve this quickly. The real operational question is who on your team has authority to approve those whitelist requests, and how fast they can act when someone can't reach a vendor portal mid-project.
DNS-over-HTTPS (DoH) routes DNS queries through encrypted HTTPS traffic, which bypasses traditional DNS filtering entirely if left unmanaged. Browsers like Chrome and Firefox can enable DoH automatically. Most enterprise DNS filtering solutions address this by enforcing DNS settings via policy and blocking known DoH resolver endpoints. If you're not actively managing DoH on your endpoints, there's a real gap in your coverage worth closing.
It's genuinely useful on its own — particularly for blocking phishing clicks and C2 traffic — but it has clear limits. DNS filtering can't inspect payload content, detect insider threats, or catch threats delivered over already-trusted domains, which is increasingly common with attackers abusing services like Google Drive or Dropbox. Paired with EDR and email filtering, it closes specific gaps the other tools leave open. Alone, it leaves plenty of others.
DNS logs are actually one of the more underused forensic resources in a typical SMB environment. When an endpoint makes repeated queries to a suspicious domain at 3 a.m., that pattern can surface a compromised device before any alert fires. Most platforms retain query logs for 30 days by default, though enterprise tiers extend that. Security teams use these logs during incident investigations to reconstruct exactly what a device attempted to reach and when.
For a network-level deployment — redirecting DNS queries to a filtered resolver like Cloudflare Gateway or Cisco Umbrella — setup can take under an hour for a single-site business. Agent-based rollout across dozens of endpoints takes longer, typically a few days when factoring in testing and policy configuration. The more time-consuming part is usually tuning the policy categories to avoid disrupting legitimate business tools, which varies considerably depending on what software your team relies on.