Network Security · DNS Filtering
DNS Filtering. Stop threats before they load.
Block malicious domains, phishing sites, and ransomware command-and-control traffic at the network layer — before they ever reach your users.
DNS filtering is one of the highest-impact, lowest-friction security controls available. No endpoint agent required. Covers every device on your network, including IoT, printers, and BYOD. Deploys in under an hour.
How it works
Block at the source. Before anything loads.
DNS filtering intercepts the query before a connection is established — the threat is refused before a single byte loads in your browser.
Real-time threat intelligence feeds updated continuously. Every blocked request logged and reported.
Request made
A user or device tries to connect to a domain — by clicking a link, opening an app, or a malware process calling home.
DNS query intercepted
Before the connection is established, the DNS query is checked against a real-time threat intelligence feed updated continuously.
Blocked or allowed
Malicious, phishing, and blocked-category domains are refused. Legitimate traffic passes through without noticeable delay.
Logged and reported
Every blocked request logged with device, user, and timestamp. Reports delivered monthly alongside your Fortify posture summary.
What's blocked
Every threat category, every device.
Eight categories of threat blocked and managed. Covers every device on your network without any endpoint installation required.
Malware & ransomware
Known malicious domains and ransomware C2 infrastructure blocked. Stops malware calling home even after initial infection.
Phishing sites
Real-time threat feeds identify newly registered phishing pages — often within minutes of creation — and block them immediately.
Malvertising
Ad networks known to serve malicious content blocked. Stops drive-by downloads from otherwise legitimate websites.
Cryptomining domains
Browser-based cryptomining scripts blocked at the DNS layer. CPU resources stay where they belong.
IoT & BYOD coverage
Every device using your DNS resolver is protected — including printers, cameras, and personal devices on your network.
Remote worker coverage
DNS-over-HTTPS and roaming agent options extend protection to remote workers regardless of their network.
Custom blocklists
Add your own domain blocklist for categories not covered by default feeds or organisation-specific requirements.
Content category control
Optionally block adult content, gambling, social media, or other categories outside your acceptable use policy.
Essential Eight alignment
DNS filtering directly supports multiple ACSC Essential Eight controls. It's one of the fastest ways to improve your maturity rating without a lengthy deployment project.
- Supports Application Control (Maturity Level 1)
- Blocks malicious macro and script delivery domains
- Supports Patch Applications via blocking exploit kit domains
- Reduces attack surface for ransomware delivery
- Deployable same day, typically under an hour
Deployment options
DNS filtering can be deployed as a network-level control or with a lightweight roaming agent for remote workers. We assess your environment and recommend the right approach at scoping.
- Network-level deployment for office environments
- DNS-over-HTTPS for modern browsers and OSes
- Roaming agent for remote and laptop users
- No endpoint agent required for network deployment
- BYOD and guest network coverage included
- Active Directory integration for user-level reporting
What you gain
Threats blocked before they reach anyone.
Four concrete outcomes from DNS filtering deployment, measurable from the first blocked request.
Malware contained
Ransomware and malware that reaches a device can't call home for instructions if the C2 domain is blocked. DNS filtering breaks the kill chain before damage is done.
Phishing blocked
Phishing pages blocked at the network layer. Users clicking malicious links in email or SMS never reach the credential harvesting page.
Full network coverage
Every device on your network protected — including those that can't run endpoint agents. IoT, printers, and BYOD covered without additional configuration.
Essential Eight improved
DNS filtering contributes directly to your Essential Eight maturity rating. Fast to deploy and easy to document for compliance and insurance purposes.
Does DNS filtering slow down internet access?
No. Modern DNS filtering resolves queries in milliseconds using globally distributed infrastructure. The added latency is imperceptible in everyday use.
Does it require an endpoint agent?
Not for network-level deployment. DNS filtering works at the resolver level, covering every device using your network DNS without requiring anything installed on individual devices. A roaming agent is available for remote workers who are frequently off-network.
Will it block legitimate websites?
Occasionally, new legitimate domains are temporarily categorised incorrectly. We configure reporting and an easy override process so any false positives can be resolved quickly. The false positive rate on well-managed DNS filtering deployments is very low.
Can it cover remote workers?
Yes. DNS-over-HTTPS integration and roaming agent options extend filtering to remote workers regardless of where they're working. We recommend the roaming agent for laptops used outside the office regularly.
Is DNS filtering included in Fortify managed security?
Yes. DNS filtering is deployed as part of every Fortify engagement and covered by our 24/7 monitoring. It's also available as a standalone deployment for organisations not yet on Fortify.
One of the fastest wins in security
Deploy in a day. Block threats the same afternoon.
DNS filtering is one of the highest-impact, lowest-effort controls you can put in place. We can have it live in your environment within hours of engagement.