WIN FIFA World Cup™ tickets! Raffle closes in:

WIN FIFA World Cup 2026™ tickets! Enter now

Sign up now
Wc2026 Mobile

Expressvpn Glossary

DNS firewall

DNS firewall

What is a DNS firewall?

A Domain Name System (DNS) firewall is a security tool that filters DNS requests to block access to malicious or unwanted domains. In this context, it refers to DNS-layer filtering or protective DNS, rather than infrastructure protection for authoritative DNS servers. This helps stop some threats at the DNS layer before a malicious site loads or the device reaches the intended destination.

How does a DNS firewall work?

A DNS firewall applies security rules during DNS resolution. When a device sends a DNS query, the firewall checks the requested domain against policy data such as blocklists, response policy zone (RPZ) rules, or threat intelligence.

It then decides how to handle the lookup. Safe requests are resolved normally, while suspicious ones can be blocked, sinkholed, or redirected to a warning page, depending on the configuration.

Many DNS firewalls also log lookups that trigger policy enforcement and refresh their rules as threat data changes, so they can filter newly identified malicious domains more quickly.DNS firewall checks a DNS request, blocks malicious domains, and allows safe ones.

Why are DNS firewalls important?

A DNS firewall blocks many threats at the DNS layer before a device reaches a malicious destination. For example, it can prevent access to phishing pages by blocking known malicious domains. It can also interrupt communication between infected devices and external command-and-control (C2) servers, helping contain malware activity.

Where are DNS firewalls used?

DNS firewalls appear in environments where administrators need to control domain-level access across networks and devices. Enterprises deploy them in offices and remote work settings to enforce security policies across on-premises and remote users.

Schools and public Wi-Fi operators may use DNS firewalls to restrict access to unsafe or inappropriate content and support acceptable-use or regulatory requirements. Home routers may also offer DNS filtering as a parental control tool to block age-inappropriate content.

Some managed security service providers offer DNS firewalls as part of broader security services.

Risks and privacy concerns

Common concerns related to DNS firewalls include:

  • Log exposure: DNS logs can reveal browsing patterns, device activity, or service usage if organizations collect them broadly or fail to protect them properly.
  • Encrypted DNS bypass: Applications using unauthorized DNS over HTTPS (DoH), or DNS over TLS (DoT) can bypass local DNS controls unless administrators restrict and manage outbound DNS.
  • Domain-based evasion: Some threats use Domain Generation Algorithms (DGA) or fast-flux techniques to rapidly rotate domains or DNS records, making malicious infrastructure harder to detect and block in time.
  • DNS integrity risks: Weaknesses in the broader DNS resolution path, such as cache poisoning, can let attackers inject false responses, undermining the integrity of the lookups the firewall relies on.

Further reading

FAQ

What is the difference between DNS filtering and a DNS firewall?

Domain Name System (DNS) filtering is a broad term for controlling access to domains based on rules, categories, or threat intelligence. A DNS firewall is usually a more security-focused implementation that applies these controls specifically to block malicious or high-risk domains as part of a defense strategy.

Can a DNS firewall stop malware infections?

A Domain Name System (DNS) firewall can prevent devices from connecting to known malicious domains, potentially preventing some infections or limiting their impact. However, it can’t remove malware that's already on a device or stop threats that don’t rely on DNS.

Does a DNS firewall improve privacy?

A Domain Name System (DNS) firewall can improve privacy by blocking connections to tracking or malicious domains. However, organizations may still log DNS activity, which means DNS firewalls don’t provide complete privacy on their own.

Can it work with encrypted DNS?

Yes, but only if administrators manage or route the encrypted Domain Name System (DNS) traffic through the firewall. If applications use external DNS over HTTPS (DoH) or DNS over TLS (DoT), they may bypass local DNS controls.

Is a DNS firewall enough on its own?

No. A Domain Name System (DNS) firewall is one layer of security and works best alongside other protections such as endpoint security, network monitoring, and user awareness.
Get Started