Expressvpn Glossary
DNS firewall
What is a DNS firewall?
A Domain Name System (DNS) firewall is a security tool that filters DNS requests to block access to malicious or unwanted domains. In this context, it refers to DNS-layer filtering or protective DNS, rather than infrastructure protection for authoritative DNS servers. This helps stop some threats at the DNS layer before a malicious site loads or the device reaches the intended destination.
How does a DNS firewall work?
A DNS firewall applies security rules during DNS resolution. When a device sends a DNS query, the firewall checks the requested domain against policy data such as blocklists, response policy zone (RPZ) rules, or threat intelligence.
It then decides how to handle the lookup. Safe requests are resolved normally, while suspicious ones can be blocked, sinkholed, or redirected to a warning page, depending on the configuration.
Many DNS firewalls also log lookups that trigger policy enforcement and refresh their rules as threat data changes, so they can filter newly identified malicious domains more quickly.
Why are DNS firewalls important?
A DNS firewall blocks many threats at the DNS layer before a device reaches a malicious destination. For example, it can prevent access to phishing pages by blocking known malicious domains. It can also interrupt communication between infected devices and external command-and-control (C2) servers, helping contain malware activity.
Where are DNS firewalls used?
DNS firewalls appear in environments where administrators need to control domain-level access across networks and devices. Enterprises deploy them in offices and remote work settings to enforce security policies across on-premises and remote users.
Schools and public Wi-Fi operators may use DNS firewalls to restrict access to unsafe or inappropriate content and support acceptable-use or regulatory requirements. Home routers may also offer DNS filtering as a parental control tool to block age-inappropriate content.
Some managed security service providers offer DNS firewalls as part of broader security services.
Risks and privacy concerns
Common concerns related to DNS firewalls include:
- Log exposure: DNS logs can reveal browsing patterns, device activity, or service usage if organizations collect them broadly or fail to protect them properly.
- Encrypted DNS bypass: Applications using unauthorized DNS over HTTPS (DoH), or DNS over TLS (DoT) can bypass local DNS controls unless administrators restrict and manage outbound DNS.
- Domain-based evasion: Some threats use Domain Generation Algorithms (DGA) or fast-flux techniques to rapidly rotate domains or DNS records, making malicious infrastructure harder to detect and block in time.
- DNS integrity risks: Weaknesses in the broader DNS resolution path, such as cache poisoning, can let attackers inject false responses, undermining the integrity of the lookups the firewall relies on.
Further reading
- DNS security: How to protect your network from DNS threats
- The ultimate guide to phishing detection
- Types of DNS servers: Everything you need to know
- DNS hijacking and how to prevent it
- What is DNS spoofing? Learn how it affects your security