Independent guide
DNS Filtering: What It Is, How It Works, and Where It Stops
DNS filtering makes an allow-or-block decision while a device is looking up a domain. It can stop a connection before a risky or unwanted site loads, but it does not read the page, message, search term, or video behind that domain.
Quick answer
DNS filtering sends domain lookups to a resolver that checks each requested hostname against security categories, content categories, and explicit rules. An allowed domain receives a normal answer. A blocked domain does not. This makes DNS filtering broad, early, and useful across many devices, while limiting it to domain-level decisions.
One lookup, one early decision
The useful mental model is short: a device asks, the resolver evaluates the hostname, and the answer determines whether the connection can start.
-
1. Request
A browser, app, TV, or other device asks for the address behind a domain.
-
2. Policy
The DNS resolver compares the hostname with threat data, categories, and explicit rules.
-
3. Outcome
The resolver returns the normal answer, blocks the lookup, or applies another declared DNS action.
How DNS filtering works
DNS filtering adds policy to the resolver that translates a hostname such as example.com into an IP address. The decision happens before the browser or app fetches content from that destination.
When a domain is allowed, the resolver answers normally and the device can continue connecting. When a domain matches a blocked security category, content category, managed list, or explicit rule, the resolver can refuse the lookup or return a controlled response. The requested site then fails before its page content is downloaded.
This early position is why one filtering resolver can help browsers, apps, smart TVs, game consoles, and other devices that perform DNS lookups. Coverage still depends on those devices using the intended resolver. A browser with its own secure DNS setting, a VPN, mobile data, or another network path may send the lookup somewhere else.
What DNS filtering can block
DNS filtering is well suited to blocking whole domains associated with phishing, malware, scams, adult content, gambling, advertising, tracking, or a custom household or team rule.
The best first policy is usually small and understandable. Start with high-confidence threats, add preference categories deliberately, and test normal work, school, login, update, and streaming paths before expanding the rule set.
A block is only as useful as its recovery path. Someone should know why the domain was blocked, how to review a false positive, and whether a narrow exception is safer than disabling an entire category.
- Known malicious and phishing domains before a connection begins
- Whole-site content categories when domain-level blocking is acceptable
- Known advertising and tracking hosts used across sites and apps
- Specific domains that a household, person, or team has chosen to block
- Newly risky destinations added through maintained threat intelligence
What DNS filtering cannot see
DNS filtering normally sees a hostname, not the full URL or the content inside an encrypted page or app. It cannot judge every post, message, video, search, file, or action served from an allowed domain.
If useful and unwanted content share the same domain, DNS has a blunt choice: allow the domain or block all of it. Blocking a single page, stopping a specific upload, controlling app installs, setting screen-time limits, or moderating an in-app feed belongs to browser, device, account, application, or inspected web controls.
DNS logs also are not a full browser history. A retained DNS record may reveal that a device requested a domain and how policy handled it. It generally does not reveal the exact page path, text typed into a search box, private message, or item viewed inside a platform. Domain history can still be sensitive and should have a clear purpose, access boundary, and retention choice.
Where DNS filtering fits
DNS filtering is a broad first layer. Use it beside device security, browser and account controls, software updates, password protection, and a clear process for exceptions.
This division of labor prevents two common mistakes: expecting DNS to understand content it never sees, and ignoring DNS because it is not a complete security stack. An early domain decision is valuable precisely because it is narrow and broadly deployable.
| Goal | DNS filtering fit | Useful companion |
|---|---|---|
| Block a known phishing domain | Strong | Email and identity protection |
| Block an entire adult website | Strong at domain level | Device and account controls |
| Block one page on an allowed site | Weak | URL or browser control |
| Set app time or purchase limits | Not the owner | Operating-system family tools |
| Inspect a file upload or page body | Cannot inspect it | Managed HTTP or content inspection |
How to evaluate a DNS filtering setup
Check the resolver path, test one expected allow and one safe expected block, repeat the test on each important device and network, and keep a rollback plan.
Configuration is not proof. A router change may cover the home network but not a phone on cellular data. A device setting may cover one operating system while a browser sends encrypted DNS elsewhere. Testing from the real context is the only reliable way to understand coverage.
Veilty applies DNS rules to configured devices and supports different policy needs across family, personal, and team contexts. Like any resolver, it must process the live DNS request to answer it. Retained activity history is a separate choice and is protected with end-to-end encryption for authorized Space or Tenant roles.
- Write down the current DNS settings before changing them.
- Confirm the intended resolver is used on home or office Wi-Fi.
- Test browsers, apps, shared devices, and any off-network device path separately.
- Check browser secure DNS, VPN, private relay, mobile data, and guest-network behavior.
- Review why a test domain was blocked instead of treating any failure as success.
- Keep an immediate way to restore the previous resolver if normal services break.
Continue from here
Move from the general decision to the guide that owns your next question.
DNS filtering FAQ
Short answers for the decisions people make most often after reading this guide.
DNS filtering checks a requested domain before returning its address. It answers allowed domains normally and blocks domains that match the active policy.
It normally sees requested hostnames, not full page URLs or page contents. A hostname can still reveal sensitive context, so retained DNS activity deserves careful access and retention choices.
It can cover many device types, but only while each device uses the intended resolver. VPNs, mobile data, private relay features, and browser secure DNS can change the path.
No. It is an early domain-level layer. Pair it with device updates, account security, browser or app controls, and a clear exception process.
Bring clear DNS rules to your devices
Request early access to Veilty, or keep exploring the practical DNS filtering guides.