How Does DNS Filtering Work? And Why Your VPN Needs It

Every time you visit a website, your device sends a DNS query — a request to translate a domain name like example.com into an IP address your browser can connect to. That translation happens in milliseconds, before any content loads, before any connection is made. It is also one of the most exploited moments in cybersecurity.

According to Infoblox's analysis of over 70 billion DNS queries per day, 90% of malware uses DNS as part of its attack chain. Not as an afterthought — as a foundational mechanism for command-and-control, data exfiltration, and phishing delivery. DNS filtering intercepts those requests before they reach their destination. This article explains how it works, why standard VPN encryption does not cover this gap, and why the two technologies belong together.

What Is DNS and Why Does It Matter for Security?

DNS stands for Domain Name System. It is the internet's phonebook — converting human-readable domain names into the IP addresses that servers use to route traffic. When you type a URL into your browser, your device first asks a DNS resolver: "What is the IP address for this domain?"

The security implication is straightforward: if your device asks for the IP address of a malicious domain, it is already headed toward that threat. The DNS query itself is the first step in most cyberattacks. Phishing campaigns, malware downloads, ransomware command-and-control servers, and data exfiltration pipelines all rely on DNS to function. Block the DNS query and the entire attack chain collapses before it starts.

Between August and November 2025, Infoblox identified over 7.6 million new threat-related domains — a 20% increase over the prior quarter. Critically, 85.4% of those malicious domains were identified before any user ever interacted with them. That early-detection window is what DNS filtering is designed to exploit.

How DNS Filtering Works Step by Step

DNS filtering operates as a layer between your device and the internet, inserted at the DNS resolution stage:

1. You request a domain. Your device sends a DNS query to resolve a domain name — whether you typed it in, clicked a link, or an app triggered the request automatically.
2. The query hits the DNS filter first. Instead of going directly to a standard DNS resolver, the query is intercepted by the filtering layer.
3. The domain is checked against a threat database. The filtering system compares the requested domain against a continuously updated blocklist of malicious, phishing, and suspicious domains.
4. Allow or block decision. If the domain is clean, the request proceeds normally and your connection is established. If the domain is flagged, the request is blocked — the connection is never made.
5. The threat is stopped before contact. No data is sent to the malicious server. No malware is downloaded. No phishing page loads. The attack is terminated at the first step.

The entire process adds only a few milliseconds. From a user perspective, a blocked request looks like a site that failed to load — because the connection was stopped before it began.

What DNS Filtering Blocks That a VPN Cannot

A VPN encrypts your internet traffic and routes it through a secure tunnel. This protects your data from interception on public networks, hides your IP address from websites you visit, and prevents your ISP from seeing your browsing activity. These are genuine and valuable protections.

What a VPN does not do is evaluate the destinations you are connecting to. A VPN with no DNS filtering will happily encrypt your traffic and route it directly to a phishing site, a malware distribution server, or a ransomware command-and-control endpoint. The encryption protects the path. It does nothing about the destination.

DNS filtering addresses the destination. It does not matter how secure your connection is if the server you are connecting to is malicious. By blocking the DNS query before the connection is established, DNS filtering stops threats that encryption cannot address — regardless of how sophisticated the attack is.

This is why the two technologies complement each other. VPN encryption protects the channel. DNS filtering protects the destination. Together they cover fundamentally different attack surfaces.

The Scale of the DNS Threat Problem

The numbers from 2025 make the case for DNS filtering clearly:

• Infoblox's platform applied 648 million DNS blocking actions per day across its customer base between August and November 2025.
• Phishing accounts for 30% of all malicious DNS traffic, according to EfficientIP's 2026 DNS Threat Intelligence Report.
• DNS attacks cause outages in 82% of affected businesses and result in data theft in 29% of cases.
• Over 100 million newly observed domains are registered annually, with 25.1% found to be malicious.
• Zero-day malicious domains — newly created attack infrastructure — appear at a rate of 3,000 to 10,000 new domains per day, with most persisting less than 72 hours before being retired.

That last point is particularly important. Malicious domains are intentionally short-lived. Attackers create, use, and retire infrastructure within hours or days specifically to evade traditional blocklists that rely on known-bad domains. Modern DNS filtering addresses this with real-time threat intelligence and behavioral analysis of newly registered domains — identifying malicious intent before the domain appears on any standard blocklist.

DNS Filtering vs. Antivirus: Understanding the Difference

Antivirus software operates at the endpoint — it scans files that have already been downloaded or processes that are already running. By the time antivirus software evaluates a threat, the malicious content has already reached your device.

DNS filtering operates upstream of that — before the download starts, before the page loads, before any executable reaches your machine. For phishing attacks and drive-by malware distribution in particular, DNS filtering is the more effective preventive layer because it eliminates the attack before your device ever receives anything to scan.

The two approaches address different points in the attack timeline. DNS filtering handles prevention. Antivirus handles detection and remediation. They should be used together, not treated as alternatives.

How Web Shield Works in CyberFence

CyberFence's Web Shield is a DNS-layer blocking system that runs automatically on every device running CyberFence. Here is what it does:

Malicious domain blocking. Known phishing domains, malware distribution sites, ransomware command-and-control servers, and other threat infrastructure are blocked at the DNS level before your device connects.

Ad and tracker blocking. DNS requests to advertising networks and tracking domains are blocked, reducing both surveillance and the attack surface that malicious advertising (malvertising) can exploit.

Real-time threat intelligence. Web Shield's blocklist is continuously updated with new threat data, including newly registered domains showing malicious behavioral patterns.

Works on all networks. Web Shield operates whether you are on your home network, a corporate network, hotel WiFi, or a mobile data connection — anywhere CyberFence is active.

No separate configuration. Web Shield is on by default. There is no additional setup, no separate app, and no technical configuration required. It works in the background alongside VPN encryption.

Do You Need DNS Filtering if You Are Careful Online?

This is a reasonable question. If you avoid suspicious links and only visit reputable sites, does DNS filtering add meaningful protection?

The answer is yes, for two reasons. First, modern phishing attacks are sophisticated enough that careful users get fooled. Attackers use lookalike domains, compromised legitimate sites, and AI-generated content that is indistinguishable from real communications. The 2026 DNS Threat Intelligence data shows phishing infrastructure is being staged months in advance at industrial scale — not as improvised one-off attacks, but as coordinated campaigns against specific targets.

Second, DNS queries are not only generated by your conscious browsing decisions. Apps, browser extensions, operating system processes, and embedded scripts on legitimate websites all generate DNS queries in the background. A malicious ad on a mainstream news site, a compromised JavaScript library, or a software package with a malicious dependency can all trigger DNS connections without you clicking anything. DNS filtering covers the full scope of DNS activity on your device, not just the URLs you type.

What to Look for in a VPN with DNS Filtering

Not every VPN that claims DNS protection actually delivers it. Here is what to evaluate:

DNS leak protection. A VPN must route all DNS queries through its own encrypted tunnel. If DNS queries leak outside the VPN — a common misconfiguration — your ISP and any network observer can see which domains you are resolving, even while your traffic is encrypted.

Active threat blocking, not just leak prevention. Some VPNs prevent DNS leaks but do not actually block malicious domains. Leak prevention means your queries go through the VPN. Active blocking means malicious domains are evaluated and stopped. You need both.

Continuously updated threat intelligence. A static blocklist is insufficient given the rate at which malicious domain infrastructure is created and retired. The blocking system must use real-time threat data.

No logging of DNS queries. A VPN with DNS filtering that logs your DNS queries has effectively built a record of your entire browsing history under a different name. Verify the provider's no-logs policy explicitly covers DNS query data.

For more context on evaluating VPN privacy claims, see our guide on how to verify a VPN's no-logs policy and our breakdown of what a VPN does not protect you from. For a deep dive on phishing specifically, see how VPN phishing protection works at the DNS level.