What Is DNS Filtering?
A plain-English guide to how DNS filtering — also called protective DNS — blocks malware, phishing, and ransomware before a single page can load.
Every time you visit a website, your device first has to look up the name. The Domain Name System (DNS) is the internet's address book: it translates a human-friendly name like example.com into the numeric IP address a computer needs to connect.
DNS filtering inserts a security check into that lookup. Before a domain is resolved, a filtering resolver decides whether the destination is safe and allowed. If it is not — a known malware host, a phishing page, a ransomware callback, or a category your policy blocks — the lookup is refused and the page never loads. Because the defense happens before the connection is even made, the threat is stopped at the earliest possible moment.
This approach is often called protective DNS, and it is one of the most cost-effective security layers a small or mid-size business can add. You can see DNS resolution for yourself with our free DNS Lookup tool.
How DNS Filtering Works, Step by Step
A device makes a DNS request
When a user clicks a link or an app phones home, the device first asks a DNS resolver to translate the domain name (like example.com) into an IP address.
The filtering resolver checks the domain
Instead of a plain resolver, the request goes to a filtering resolver that checks the domain against live threat intelligence and content-category data.
Safe lookups resolve, bad ones are blocked
If the domain is safe and allowed, it resolves normally. If it is malicious or against policy, the resolver returns a block page instead of the real IP — so the connection is never made.
Everything is logged
Each allow and block is recorded, giving you visibility into threats stopped, top categories, and per-user web activity for security and compliance.
What DNS Filtering Stops
Malware distribution domains
The sites that host payloads and exploit kits — blocked before any file is fetched.
Phishing & credential-harvesting pages
Lookalike and newly-registered domains that try to steal logins.
Ransomware command-and-control
The callback lookups malware uses to receive instructions and exfiltrate data.
Policy-violating content
Adult, gambling, and other categories restricted by acceptable-use or compliance rules.
Many of these threats begin with a spoofed or lookalike domain. You can screen one yourself with our free Domain Spoofing Detector.
DNS Filtering vs. Firewalls and Antivirus
- DNS filtering acts first — at the name-resolution stage, before any connection is established. It blocks the lookup so the bad page never loads.
- A firewall acts on network traffic, controlling what is allowed in and out once a connection is being attempted.
- Antivirus / endpoint protection acts last — inspecting files and behavior on the device itself to catch anything that slipped past the earlier layers.
These are layers, not alternatives. DNS filtering pairs especially well with managed email security — closing the two paths attackers use most — and with 24/7 detection & response to catch whatever still gets through.
It Follows Your Users Everywhere
With a roaming agent, the same filtering policy protects laptops on home Wi-Fi, in hotels, and on public networks — no VPN backhaul, no gap when someone leaves the office. For a remote and hybrid workforce, that off-network coverage is often the single biggest reason to deploy DNS filtering.
DNS Filtering & DNS Security FAQ
What is DNS filtering in simple terms?
DNS filtering is a security control that checks every website lookup a device makes and blocks the ones that are dangerous or against policy. Because it works at the moment a domain name is resolved — before any connection happens — the harmful page simply never loads.
What is DNS security?
DNS security is the broader practice of protecting and using the Domain Name System to defend an organization. Protective DNS — the kind of DNS filtering covered here — is one of its most practical forms: it turns DNS resolution itself into an enforcement point that blocks malicious and unwanted destinations.
How is DNS filtering different from a firewall?
A firewall inspects and controls network traffic, often after a connection has been initiated. DNS filtering acts one step earlier, at the name-resolution stage, so a blocked domain never even reaches the connection stage. The two are complementary layers, not substitutes.
Does DNS filtering slow down browsing?
No. Modern filtering resolvers are globally distributed and answer lookups in milliseconds — often as fast as or faster than a default ISP resolver. Users typically notice nothing except that bad sites quietly fail to load.
Can it protect laptops that leave the office?
Yes. A lightweight roaming agent applies the same filtering policy on devices wherever they connect — home, hotels, public Wi-Fi — without routing traffic through a VPN. This off-network coverage is one of the biggest reasons businesses adopt DNS filtering.
Is DNS filtering enough on its own?
It is a high-value layer, but not a complete program. It pairs best with managed email security, endpoint protection, and 24/7 detection and response so that anything DNS does not catch is stopped elsewhere.
Ready to put it to work? See how Inventive HQ deploys and manages protective DNS with DNSFilter and DefensX on our DNS Filtering & Web Security service page.
See What DNS Filtering Would Stop on Your Network
Get a free, no-obligation web security assessment from Inventive HQ and find out which threats DNS filtering would block for your team — in the office and on the road.