DNS filtering blocks access to malicious, phishing, and inappropriate websites at the network level before they ever load in a browser. It is one of the simplest and most cost-effective security layers you can add to your office network, and it works across every device on the network without installing anything on individual computers.
This guide explains how DNS filtering works in plain terms, what it protects against, how to set it up, and where it fits alongside your other security tools.
How DNS Works (the 30-Second Version)
Every time you type a website address into your browser or click a link, your computer needs to translate that human-readable name (like athencia.com) into a numerical IP address that the internet actually uses to route traffic. Your computer does this by sending a request to a DNS (Domain Name System) server, which acts like a phone book for the internet.
By default, your computer uses whatever DNS server your ISP provides. That DNS server translates every request without any filtering. It does not know or care whether the website you are trying to reach is legitimate or a phishing page designed to steal your password.
DNS filtering replaces your ISP's DNS with a filtering service that checks every request against a constantly updated database of known malicious, phishing, and unwanted domains. If the website you are trying to reach is on the block list, the request is stopped before the site ever loads. Instead of seeing the malicious page, the user sees a block notification explaining that the site was flagged as unsafe.
The key benefit is that this happens before any content is downloaded. The malicious page never loads, the phishing form never appears, and the malware never gets a chance to execute. It is a preventive control, not a reactive one.
What DNS Filtering Protects Against
DNS filtering is effective against several categories of threats that small businesses commonly encounter:
Known malware domains. Security researchers and threat intelligence services maintain databases of websites that distribute malware, ransomware, and spyware. DNS filtering blocks access to these sites, preventing employees from accidentally downloading malicious software by clicking a bad link in an email or search result.
Phishing sites. Phishing attacks often direct victims to fake login pages that look identical to Microsoft 365, banking portals, or other services. DNS filtering can block access to these fake sites before the employee ever sees the login form, reducing the risk of stolen credentials.
Command and control servers. If a device on your network is already compromised (by malware that slipped through other defenses), that malware typically needs to communicate with a command and control server to receive instructions or exfiltrate data. DNS filtering blocks these communications, effectively neutralizing the infection even if the malware itself is still present on the device. This is an important layer because it limits the damage even when other protections fail.
Newly registered domains. Attackers frequently register brand-new domains just days before using them in an attack. Some DNS filtering services can block access to domains that are less than 30 days old, which catches a large percentage of attack infrastructure before it can be used against your team.
Inappropriate content. Beyond security, DNS filtering can optionally block access to categories of websites that are not appropriate for the workplace, such as adult content, gambling, or social media during business hours. This is configurable, so you can decide which categories to block based on your workplace policies.
How DNS Filtering Fits with Your Other Security Tools
DNS filtering is one layer in a multi-layered security approach. It does not replace your other tools, but it complements them in an important way.
Think of it this way: your endpoint protection (like Microsoft Defender for Business, which is included with Microsoft 365 Business Premium) catches threats that reach the device. DNS filtering prevents many of those threats from reaching the device in the first place. If your business also uses Huntress Managed EDR for 24/7 threat monitoring, DNS filtering reduces the volume of threats that Huntress needs to investigate by blocking the low-hanging fruit at the network level.
The combination of DNS filtering (blocking malicious sites before they load), endpoint protection (catching threats that make it to the device), and managed EDR (human threat hunters investigating suspicious activity) creates overlapping protection where each layer catches what the others might miss.
DNS Filtering Options for Small Businesses
There are several DNS filtering services that work well for small businesses, ranging from free to affordable paid options:
Cloudflare Gateway (Zero Trust). Cloudflare offers a free tier for small teams that is easy to configure and uses one of the fastest DNS networks in the world. The paid tiers add more granular controls and logging.
Cisco Umbrella (formerly OpenDNS). An established product with strong threat intelligence. Cisco Umbrella is available through managed service providers and offers detailed reporting. This is a paid service with per-user pricing.
DNSFilter. A cloud-based service with affordable per-user pricing and AI-powered threat detection. Good reporting and easy to manage.
NextDNS. A privacy-focused option with a generous free tier and highly customizable filtering rules. Good for businesses that want granular control over what is blocked.
Built-in firewall DNS filtering. Many business-grade firewalls, including FortiGate and SonicWall, include DNS or web filtering as a built-in feature. If you already have one of these firewalls, check whether DNS filtering is included in your license before purchasing a separate service.
Free baseline option. For the simplest possible protection, you can configure Cloudflare's malware-blocking DNS (1.1.1.2 and 1.0.0.2) or Quad9 (9.9.9.9) on your router at no cost. These block known malicious domains but do not offer the reporting, customization, or category-based filtering that paid services provide.
How to Set It Up: Protecting the Whole Office (Router Level)
The fastest way to deploy DNS filtering for your entire office is to change the DNS settings on your router. This ensures that every device connected to your office network uses the filtering DNS automatically, without touching any individual devices.
Log in to your router's admin interface. This is typically at 192.168.1.1 or 192.168.0.1 in your browser. Enter your admin credentials.
Navigate to the DNS settings. Depending on your router, these may be under WAN, Internet, Network Settings, or DHCP Settings. Look for fields labeled "Primary DNS" and "Secondary DNS" or "DNS Server 1" and "DNS Server 2."
Replace the existing DNS server addresses with the addresses from your chosen DNS filtering provider. For example, if you are using Cloudflare's malware-blocking DNS, enter 1.1.1.2 as the primary and 1.0.0.2 as the secondary. If you are using a paid service like Cisco Umbrella or DNSFilter, they will provide you with custom DNS addresses tied to your account.
Click Save or Apply to commit the changes. Some routers require a restart for DNS changes to take effect. After the change, all devices on the network will use the new DNS servers the next time they renew their network settings (usually within a few minutes, or immediately after reconnecting to Wi-Fi).
To verify it is working, try visiting a known test page. Most DNS filtering providers offer a test URL that should display a block page if filtering is active. For example, Cloudflare provides a test at malware.testcategory.com that should be blocked when using their malware-filtering DNS.
How to Set It Up: Protecting Roaming Laptops (Per-Device)
Router-level DNS filtering only protects devices while they are connected to your office network. Laptops that employees take home, to client sites, or to coffee shops are not protected once they leave the office.
To extend DNS filtering to roaming devices, most filtering services offer a lightweight agent that installs on each device and redirects DNS queries to the filtering service regardless of which network the device is on.
Cloudflare WARP is the agent for Cloudflare Gateway. Cisco Umbrella Roaming Client extends Umbrella protection to off-network devices. DNSFilter Agent does the same for DNSFilter. These agents run quietly in the background and do not noticeably affect device performance.
If your devices are managed through Microsoft Intune (included with Microsoft 365 Business Premium), you can deploy the DNS filtering agent to all managed devices automatically. In the Intune admin center, navigate to Apps > All apps > Add, select the agent installer for your chosen DNS filtering provider, and assign it to the device groups that need protection. The agent will install silently the next time each device checks in.
This approach ensures that every company-managed device is protected by DNS filtering whether it is in the office, at home, or on public Wi-Fi.
What DNS Filtering Does Not Do
DNS filtering is a valuable security layer, but it is important to understand its limits so you do not rely on it for things it was not designed to handle.
DNS filtering is not a firewall. It only blocks based on domain names. It does not inspect all network traffic, block port scans, or prevent unauthorized access to your network.
DNS filtering does not inspect page content. It either allows or blocks an entire domain. If a legitimate website is compromised and serves malware on a single page, DNS filtering will not catch it unless the domain itself is flagged.
DNS filtering does not replace endpoint protection. You still need antivirus or EDR software on each device to catch threats that arrive through means other than web browsing, such as USB drives or email attachments.
DNS filtering can be bypassed. A tech-savvy user could manually change their device's DNS settings to bypass the filter. The per-device agent approach prevents this, which is one reason it is recommended for managed devices. On unmanaged devices, router-level filtering can be bypassed by anyone who knows how to change their DNS settings.
DNS filtering does not protect against email-based threats. Phishing emails with malicious attachments or links to newly created domains that have not yet been categorized may still get through. Email security and user awareness training are separate, necessary layers.
Need Help?
DNS filtering is one of the highest-impact, lowest-effort security improvements you can make for your office network. If you want help choosing the right provider, configuring it on your network, or deploying agents to your devices, contact Athencia. We will get it set up and make sure it is working correctly across your entire environment.
