DNS filtering is the process of using the Domain Name System to block malicious websites and filter out harmful or inappropriate content. This ensures that company data remains secure and allows companies to have control over what their employees can access on company-managed networks. DNS filtering is often part of a larger access control strategy.
The Domain Name System, or DNS, matches domain names, like cloudflare.com, to IP addresses, like 192.0.2.24. DNS is necessary in order to allow users to access websites without memorizing confusing lists of numbers – just as a person is able to store their friends' phone numbers in their smartphone contacts list instead of memorizing every individual phone number
Anytime a user opens up a website or accesses a web application, the process of loading the content only starts after the user's device has looked up the correct IP address. These are the steps of discovering an IP address so that a website can load:
DNS is an essential part of accessing web content – no content can load before the DNS process occurs. This makes DNS filtering an effective way to exert control over what content users can access.
All DNS queries go to a DNS resolver. Specially configured DNS resolvers can also act as filters by refusing to resolve queries for certain domains that are tracked in a blocklist, thus blocking users from reaching those domains. DNS filtering services can also use an allowlist instead of a blocklist (more below).
Suppose a company employee receives a phishing email and is tricked into clicking a link that leads to malicious-website.com. Before the employee's computer loads the website, it first sends a query to the company's DNS resolving service, which uses DNS filtering. If that malicious site is on that company’s blocklist, the DNS resolver will block the request, preventing malicious-website.com from loading and thwarting the phishing attack.
DNS filtering can blocklist web properties either by domain name or by IP address:
By domain: The DNS resolver does not resolve, or look up, the IP addresses for certain domains at all.
By IP address: The DNS resolver attempts to resolve all domains, but if the IP address is on the blocklist, the resolver will not send it back to the requesting device.
DNS filtering may also blocklist domains that are not necessarily used for malware or phishing attacks, but that host forbidden or inappropriate content. For instance, a company may wish to add websites that host adult content to their DNS filtering blocklist.
The reverse of a blocklist, an allowlist is a list of allowed domains or IP addresses. All domains or IP addresses that are not on the allowlist are blocked.
DNS filtering can help keep malware, or malicious software, out of company networks and off of user devices. It can also help block some kinds of phishing attacks.
DNS filtering can prevent these kinds of attacks by blocking users from loading malicious webpages at all.
A phishing website is a fake website that is set up to steal login credentials in phishing attacks. The domain used could be a spoofed domain or just an official-looking domain that most users will not think to question. Regardless of the method, the goal is to fool the user into giving their account credentials to an attacker. These websites can be blocked using DNS filtering.
These capabilities are dependent upon the DNS filtering system knowing to identify the malicious IP addresses or domains as bad. While DNS filtering can block this malicious activity, attackers generate new domains very quickly and it is not possible to blocklist all of them.
The process for restricting access to certain kinds of content is similar to the process described above; IP addresses or domain names that are known to host prohibited content are blocklisted, and users cannot access them. Alternatively, company-approved websites can be added to an allowlist, with DNS filtering blocking all other websites.
A secure DNS server is a DNS resolver that blocks malicious or prohibited websites as part of a DNS filtering service. Some secure DNS servers also offer increased privacy to protect user data; Cloudflare, for example, offers a DNS resolving service called 188.8.131.52 that purges all DNS query logs after 24 hours.
Along with DNS filtering, there are additional ways of making the DNS process more secure, since DNS was not designed with security in mind. The DNSSEC protocol helps verify that DNS resolvers provide accurate information and have not been compromised by an attacker. The DNS over TLS (DoT) and DNS over HTTPS (DoH) protocols encrypt DNS queries and responses so that attackers cannot stalk a user's DNS queries and track the websites they visit.
Web filtering is a broad term that can refer to a number of methods for controlling web traffic. DNS filtering is one type of web filtering. Other kinds of web filtering include URL filtering, keyword filtering, and content filtering.
Cloudflare offers an authoritative DNS service, a public DNS resolver, and, for companies that want to restrict what employees access on the Internet, DNS filtering capabilities. Cloudflare Gateway is a secure web gateway that includes DNS filtering, along with browser isolation and other technologies that keep internal users secure. Learn more about Cloudflare Gateway, or how secure web gateways work.