What is DNS filtering?

DNS filtering intercepts DNS queries and blocks resolution for known malicious, phishing, or unwanted domains. When a user tries to visit a blocked domain, the DNS filter returns a block page instead of the real IP address. It is one of the simplest and most effective security measures, protecting all devices on the network without requiring software installation.

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records, allowing recipients to verify that responses are authentic and have not been tampered with. It protects against DNS spoofing and cache poisoning attacks. While not all domains use DNSSEC, enabling it for your domains adds an important layer of authentication.

Should I use encrypted DNS (DoH/DoT)?

Yes. DNS over HTTPS (DoH) or DNS over TLS (DoT) encrypts DNS queries, preventing eavesdropping and manipulation of DNS traffic. Most modern browsers and operating systems support encrypted DNS. For businesses, implementing encrypted DNS through a corporate DNS filtering service provides both privacy and security benefits.

Book Free Assessment Calculator

DNS Security

Also known as:domain name securityDNS protectionDNS defence

The practice of protecting Domain Name System infrastructure from attacks and abuse, including DNS hijacking, spoofing, and cache poisoning, to ensure reliable and secure domain name resolution.

In-Depth Explanation

DNS security encompasses the tools and protocols used to protect the Domain Name System - the internet's phone book that translates domain names into IP addresses. Because nearly all internet activity begins with a DNS query, DNS is a critical attack surface.

DNS threats:

DNS spoofing/cache poisoning: Inserting false DNS records to redirect traffic
DNS hijacking: Taking control of DNS settings to redirect domains
DNS tunnelling: Using DNS queries to exfiltrate data or bypass firewalls
DDoS on DNS: Overwhelming DNS servers to disrupt service
Domain shadowing: Creating subdomains under compromised domains for malicious use
Typosquatting: Registering similar domain names to capture mistyped URLs

DNS security measures:

DNSSEC: Cryptographic authentication of DNS responses
DNS filtering: Blocking access to known malicious domains
DoH/DoT: Encrypting DNS queries (DNS over HTTPS/TLS)
DNS monitoring: Logging and analysing DNS queries for anomalies
Registrar security: Locking domain registrar accounts with MFA
Split DNS: Separating internal and external DNS resolution

DNS filtering for security:

Block access to known malware, phishing, and command-and-control domains
Prevent users from accessing inappropriate or dangerous websites
Enforce acceptable use policies at the network level
Popular services: Cisco Umbrella, Cloudflare Gateway, DNSFilter

Business Context

DNS is involved in over 90% of malware attacks, making DNS security one of the most effective and overlooked security layers. DNS filtering alone can block a significant proportion of threats before they reach endpoints.

How Clever Ops Uses This

Clever Ops implements DNS security for Australian businesses including DNS filtering to block malicious domains, DNSSEC to prevent spoofing, registrar account protection, and DNS monitoring for threat detection. We deploy cloud-based DNS security that protects all devices regardless of location.

Example Use Case

"An Australian business implements Cloudflare Gateway for DNS filtering, blocking access to malicious domains across all offices and remote workers. Within the first month, DNS filtering blocks over 3,000 attempts to access phishing and malware sites."