Skip to Content
Network and Access

What is DNS filtering?

DNS filtering is the security layer that acts the moment a device tries to find the address of a site, the DNS step that precedes every connection. If the requested domain is malicious, known for hosting phishing, distributing malware or controlling an attack, the answer is blocked, and the connection is never made. It is the defense that stops the attack before the first contact.

Zamak TechnologiesUpdated on July 12, 2026

How DNS filtering works

Every time someone types an address or clicks a link, the device first asks DNS what the number (the IP) of that domain is. DNS filtering steps in at exactly that instant: it evaluates the requested domain against threat intelligence and policies before returning the answer.

1

Intercepts the DNS question

Before any connection, the device queries DNS to resolve the domain. Filtering evaluates that request instead of answering it blindly.

2

Checks threat intelligence

It compares the domain against updated reputation lists and risk categories: phishing sites, malware distribution, attack control and improper content.

3

Allows, blocks or redirects

If the domain is safe, it returns the address normally; if it is malicious, it returns a block response and the connection never happens.

4

Logs every query

The history of DNS queries becomes evidence to investigate an incident and for threat hunting, showing what was attempted and from where.

Source: joint NSA and CISA guidance on Protective DNS (2025) and the N-able Cyber Encyclopedia (DNS filtering and how it differs from a secure web gateway).

Why blocking domains is not enough on its own

  • DNS filtering acts on the name, not the content. It blocks access to the malicious domain, but it does not inspect what travels inside an already authorized connection; that is what other layers are for.
  • A brand-new domain may not be on any list yet. Threat intelligence is fast, but the attacker changes domains all the time, and the window between registration and blocking exists.
  • Outside the company network, the device may use another DNS. Without a policy that follows the device wherever it is, the remote worker is left out of the protection.
  • It is a prevention layer, not a response one. It reduces the number of attacks that ever get started, but what gets through still requires endpoint, email and monitoring defenses.

What DNS filtering blocks

  • Phishing It blocks access to the domains that imitate banks, systems and brands to steal passwords, even when the link arrives in an email that got past the other filters.
  • Malware and malicious downloads It keeps the device from reaching the domains that distribute malicious programs, cutting the infection before the download.
  • Attack control When an already infected device tries to 'call home' to receive orders, filtering drops that call and stalls the advance of the attack, including ransomware.
  • Content and productivity Beyond security, it applies browsing policies by category and time, keeping internet use aligned with work.

Why the DNS layer is the cheapest defense

44%
of breaches involve ransomware, up from 32% the year before, and DNS filtering drops the control communication of those attacks (Verizon DBIR 2025)
14%
of breaches start with phishing, the vector DNS filtering blocks at the click (Verizon DBIR 2025)
$ 4.44M
is the global average cost of a data breach (IBM, 2025)

Almost every attack needs, at some point, to resolve a domain: to take the victim to the fake site, to download the malicious program or for the infected device to receive orders. That is why the NSA and CISA recommend Protective DNS as a first-line preventive defense: it cuts the attack at the cheapest point, before the first contact. The weight of this shows up in the numbers: ransomware is now in 44% of breaches, up from 32% the year before (Verizon DBIR 2025), and it depends on control communication that DNS filtering drops; phishing starts about 14% of breaches (Verizon DBIR 2025), and a blocked fake domain is a scam that never happens. Blocking a malicious domain costs a fraction of containing a breach, which runs, on average, $ 4.44 million (IBM, 2025).

How to apply DNS filtering effectively

DNS filtering delivers the most when it covers everyone, everywhere, and feeds the investigation:

  1. Cover every deviceThe protection is only worth it if it is on the whole network and on every device. A single device outside the policy is the gap the attack comes through.
  2. Follow the remote userWork has left the office. The policy has to follow the device home and on travel, not stay tied to the company network.
  3. Keep the intelligence updatedMalicious domains are born and die in hours. The value is in the threat intelligence that updates continuously, not in a static list.
  4. Use the logs to investigateThe history of DNS queries shows what was attempted and from where, raw material to respond to an incident and hunt threats.
  5. Combine with the other layersDNS filtering reduces the volume of attacks that ever get started, but it works together with email, endpoint and monitoring defenses, never alone.

In practice

The cheapest attack to stop is the one that dies before it is born: a click on a malicious domain that simply does not resolve. The defense that acts on the first step avoids the cost of every step that follows.

How Zamak protects browsing

Zamak Technologies operates DNS filtering as part of managed web protection: threat intelligence always up to date, a policy that follows the device inside and outside the office, and the log of queries feeding the investigation, alongside your team and not in its place. A cybersecurity assessment shows where browsing still exposes the company. This protection is part of the managed Cybersecurity of the Zamak Method.

Frequently asked questions about DNS filtering

Is DNS filtering the same as a firewall or antivirus?
No, it is a different and complementary layer. The firewall controls the network connections; the antivirus and endpoint defense watch the file and the device; DNS filtering acts before all of that, the moment the domain is resolved, keeping the malicious connection from ever being made.
Does DNS filtering stop ransomware?
It helps directly. Many ransomware attacks depend on control communication and on malicious domains to download the code and receive orders; DNS filtering drops those connections and can interrupt the attack before it advances. It is not the only defense, but it is one of the cheapest and most effective.
Does it work for people who work outside the office?
Yes, as long as the policy follows the device. Modern protection follows the device home and on travel, and does not stay tied to the company network, which is essential when much of the work happens outside the office.
What is Protective DNS?
It is the name the NSA and CISA give to DNS filtering used as a security defense: a resolver that evaluates each query against threat intelligence and blocks the malicious domains. Both agencies recommend it as a first-line preventive layer.
Does DNS filtering see what travels on the sites?
No, and that is how it differs from a secure web gateway. DNS filtering decides at the domain level, whether it can be accessed or not, without inspecting the page content. It is lighter and faster, and that is why it works as a broad first layer.
Does it also help control internet use?
Yes. Beyond security, DNS filtering applies browsing policies by category and time, which helps keep internet use aligned with work, with a report of what was accessed and blocked.