DNS Internet Filter

You can keep hackers at bay with a firewall, you can block email threats with a spam filter, and a DNS internet filter allows you to control the websites your employees can access and block web-based threats such as exploit kits, drive-by malware downloads, and phishing attacks.

How Does a DNS Internet Filter Work?

When an attempt is made by a user to visit a website, before they can be connected the IP of the website must be found. The DNS – Domain Name System – is used to find the IP address. A request is sent to a recursive DNS server, which contacts other servers looking for the IP address. The domain name is then matched with its IP address, and the IP address is then passed to the browser.

With a DNS internet filter in place, when the request is sent to a DNS server, before the IP address is returned, filtering controls are applied. A check is performed to see if the URL is on a blacklist of sites. Checks will also be performed to determine if the website violates administrator-defined policies. If these checks are passed, the user will be allowed to access the desired web resource. If any of the checks fail, the IP address will not be provided and the user will be directed to a DNS block page that informs them the website cannot be displayed.

Will a DNS Filter Block all Malware and Ransomware Threats?

A DNS filter will reduce the risk of a malware or ransomware infection, but it will not block all web-based threats. A DNS filter can only be used to block websites known to be used for malicious purposes and sites with questionable reputations. DNS internet filters can also be configured to block attempts to download certain types of files, such as executable files, to reduce the risk of a malware infection and to prevent the installation of shadow IT.

With a DNS filter in place, the risk of a malware download or phishing attack can be significantly reduced, but it is still important to provide security awareness training to employees and to implement endpoint security solutions on all devices.

Is it Possible to Bypass a DNS Internet Filter?

To implement a DNS filtering service, you simply change your DNS settings to point to your service provider’s DNS server. If an end user wants to bypass a DNS block, they will need to use a different DNS server. DNS filtering services will only work if the service provider’s DNS servers are used. An end user could bypass the DNS filter by making a change to the DNS settings on their computer. You must therefore lockdown your DNS settings to make sure they cannot be changed.

It is also possible to bypass a DNS filter using an anonymizer service. As far as the DNS filter is concerned, the user will be on the anonymizer website, not that actual website they are viewing. However, most category-based DNS filters allow users to block access to anonymizer services.

Determined employees may be able to find a way to bypass DNS-based filters so it is important to make it clear that attempts to do so will result in sanctions. For most employees however, the safeguards that can be implemented to prevent DNS filter bypasses will be sufficient.

How Much Does a DNS Internet Filter Cost?

A DNS filtering solution will cost substantially less than a phishing attack or malware infection and the productivity gains that can be made from limiting access to certain types of websites mean a DNS-based internet filtering solution will more than pay for itself.

The cost of a DNS internet filter can vary considerably from provider to provider. For a product such as Cisco Umbrella, a business may have to pay $3 per user per month. Lower cost solutions such as WebTitan Cloud are approximately $1 per user, per month. For most businesses, the lower cost solution will provide ample protection from web-based threats while allowing them to easily apply content controls.


Can I use a DNS filter to secure wireless access points?

The servers of DNS filtering service providers are used to perform all filtering and those servers can be accessed from any location. A DNS filtering service can be used to protect wired networks and access points at any location. Different filtering controls can be applied to different locations, as well as for departments, user groups, and individual users.

Can I block access to specific websites with a DNS filter?

DNS filters use blacklists to block access to a specific website or URL. You may want to block access to Amazon.com if you run a retail outlet and offer WIFI to customers to stop in-store price comparisons for example. Whitelists are also supported, which ensure that a URL or website can always be accessed, even if it violates other filtering policies.

I am not technically gifted, is setting up DNS filtering complicated?

While there are DNS filtering solutions for large enterprises that provide an extensive suite of security features, most cloud-based DNS filters are easy to implement and set up. Simply point your DNS to the service provider, access the administration panel, and click on the categories of website you want to block. Set up will take just a few minutes and does not even require any software downloads.

Is it possible to bypass DNS filtering controls?

It is possible to set up your DNS filter to make it difficult for users to bypass filtering controls, such as blocking access to anonymizer websites. This can be done with the click of a mouse in the category filters. The filters can be bypassed by changing the DNS servers, so it is recommended that you lockdown those settings to prevent them from being changed by your employees.

Will DNS filtering make Internet access slower?

Some web filtering solutions will result in some latency, which is why many businesses prefer DNS filtering. A DNS filter applies filtering controls before any content is downloaded, so there is almost zero latency and no noticeable slowing of page load times.