Secure DNS

is No Longer Optional
In March 2021, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released a joint statement highlighting how DNS is central to the operation of the entire internet.They further emphasized that prioritizing its protection is critical to combating cyber threats. This statement was also used to advocate for the widespread adoption of protective DNS measures.

DNS is at the core of all internet operations but ironically, securing the DNS layer has always been treated as a luxury rather than a necessity by most organizations. This strong stance by the NSA and CISA on having a protected DNS layer further emphasizes the point that having a secure network starts with shielding your DNS operations from threat actors. 70% of all cyberattacks can be prevented by protecting the DNS layer.

DNSFiter offers all the features required of a compliant Protective DNS provider out of the box, including extra features like one-click application blocking, offsite protection, and defense against zero-day attacks.
START your free trial
protective dns
secure dns protection


Protective DNS (often referred to as PDNS) is the catch-all term for security solutions that examine your DNS queries and implement safeguards to prevent you from accessing malicious sites that contain malware, ransomware, phishing attacks, and other dangerous content.

DNS protection services analyze IP addresses and domain names against a variety of threat intelligence databases and directories. If a site is known (or suspected) to be malicious, DNS protection ensures that you’ll be directed back to safety, without exposing yourself to the identified risk.

Features of PDNS Include:

pdns filter

Ability to filter web content (filter malicious content by default)

pdns ai

Provide intelligent threat protection and defense against the download or installation of malware

pdns control

Provide facilities for advert restrictions, etc.

How PDNS Works

Most DNS security setups that validate DNS records (DNS Security Extensions, DNSSEC), or encrypt DNS traffic for protection against malicious eavesdropping (DNS-over-TLS/ DoT or DNS-over-HTTPS/DoH) do not address the trustworthiness of upstream DNS infrastructure that may be compromised or maliciously provisioned.

PDNS addresses these concerns by using an external DNS resolver that implements standard protective DNS policies. One of the main functions of the resolver is to examine the domain name queries and the returned IP addresses against threat intelligence. This way, the resolver can help prevent connections to known and suspected malicious domains. 

Protective DNS (PDNS) operates as a service and is not itself a DNS protocol.

Why is PDNS important?

DNS is at the heart of internet operations, but it is not built with security out of the box. Because of this, malicious actors find it attractive to design attacks around the protocol.

These attacks can lead to data exfiltration from compromised hosts, installation of malicious software, the spread of network worms, and ransomware.

Cybersecurity teams, in looking to strengthen the safety of company networks, leverage PDNS to secure an ever-expanding collection of devices, access points, and users. Proper DNS protection offers a zero-trust security solution for any end-user accessing the internet on your network. These services create a secure environment requiring no action or training on your end.

DNSFilter’s Compliance with the NSA and CISA Guidelines for PDNS

Following the joint statement, the NSA and CISA also released a report listing the guidelines for selecting a Protective DNS provider. These criteria, though not exhaustive, are considered to be the most important attributes to look out for when choosing a Protective DNS provider.

The table below shows how DNSFilter satisfies the requirements stated in the report:

Blocks Malware Domains

dns shield

Blocks Phishing Domains

dns shield

Malware Domain Generation Algorithm (DGA) Protection

dns shield

Leverages machine learning or other heuristics to augment threat feeds

dns shield

Content filtering

dns shield

Supports API access for SIEM integration or custom analytics

dns shield

Web Interface dashboard

dns shield

Validates DNSSEC

dns shield

DoH/DoT capable

dns shield

DNSFilter offers robust end-user DNS protection, powered by AI and backed by the largest global DNS network in the industry. On a daily basis, we block over 1 million deceptive websites, scan over 3 million domains, and process up to 12 billion DNS requests. 

Get started with a DNSFilter account today and start protecting your DNS layer in a matter of minutes.