Everything you need to know about DNS filtering

Everything you need to know about DNS filtering

Ransomware and other types of malware pose a serious threat to your business, putting you at extreme risk of extended downtime, data breaches, and the loss of valuable resources. Your IT system can get infected by malware in several ways, one of which is when your employees visit and download content from malicious websites — whether accidentally or on purpose. For this reason, it’s crucial that you restrict access to certain websites by implementing solutions like domain name system (DNS) filtering.

What is DNS filtering?

DNS filtering is a method that prevents users from accessing certain websites, pages, and IP addresses. You can use it to prevent your employees from entering harmful, distracting, and non-work-related websites, such as porn, gambling, and gaming sites, and video streaming services.

By blacklisting the majority of malicious sites, DNS filtering can significantly reduce the risks they pose to your business.

How does DNS filtering work?

Websites are identified via their domain name (e.g., Facebook.com) and unique IP address (e.g., 69.63.176.13). The DNS is like a phonebook that matches domain names with their corresponding IP addresses, enabling computers to find the right website when users search using just domain names.

After you input the website’s domain name on your web browser’s address bar, the DNS server will look up the site’s IP address. Called a DNS query, this step enables your browser to locate where the site is being hosted. Once the site is found, the browser will connect with it and load the page. Depending on factors like internet speed, these steps usually take less than a second.

DNS filtering adds a few steps to the aforementioned process. During the DNS query, the DNS server first examines the website you’re attempting to visit. Access is blocked if the website does not meet the following requirements:

  • The website must not be on a blacklist of previously identified malicious websites.
  • If new, the website must not have been identified by previous crawls to have malicious content.
  • If the website has not been crawled, it must pass a real-time content analysis conducted by the DNS filter.

Upon your access being blocked, you will be taken to a local IP address that explains why you cannot visit the site. These additional steps are low latency and will have little to no impact on your browsing speeds.

Your internal IT team can implement DNS filtering or you can have a third-party provider do it for your business. If you want to impose more controls — to limit access to a greater variety of websites, for instance — you can set up an acceptable usage policy for your third-party provider to enforce.

Does DNS filtering block access to all malicious websites?

There is currently no way to prevent access to every malicious website in existence. That is, DNS filtering cannot completely eliminate the possibility that your staff will end up in malware-laden corners of the internet. But by blacklisting the majority of these sites, this solution can significantly reduce the risks to your business.

There are several reasons why DNS filtering isn’t perfect:

New malicious websites pop up all the time

Three websites are created every second or over 250,000 every day. Of these, there’s no telling how many are safe and how many are unsafe. Therefore, DNS filters need some time to identify and blacklist new malicious sites. It’s at this brief gap between site creation and recognition that your employee might visit an unsafe website. To address this, educate your staff on good online habits through regular cybersecurity awareness training.

Your staff may be able to bypass filters

Some of your employees can use proxy sites to evade controls and access websites otherwise prohibited by DNS filters. A quick solution to this problem is to restrict access to proxy sites.

Users may be able to modify DNS filters

If you are implementing the service yourself, tech-savvy staff may find a way to access your DNS filters and change these. Resolve this by locking down your DNS filter settings so they cannot be modified easily. Also, prevent access to the service by anyone other than members of your IT team.

DNS filtering is an effective preventive measure you can implement to protect your business from multiple cyberthreats. If you need help deploying and getting the most out of this service, our specialists at Fidelis will be more than glad to assist you. Meanwhile, read about other solutions that can protect your business from malware and other types of cyberthreats by downloading this free eBook today.


It’s time to take downtime seriously. Discover why an MSP is your best ally against this threat. Download our free eBook today to learn more!LEARN MORE HERE