A DNS Firewall protects networks by blocking connections to malicious domains during DNS resolution.
Example of a DNS firewall using RPZ policies to block malicious domains before connections to attacker infrastructure are established.
A DNS firewall is a cybersecurity technology that prevents devices from connecting to malicious Internet infrastructure by blocking domain names associated with cyber threats.
Instead of allowing DNS queries to resolve normally, a DNS firewall analyzes domain requests and applies security policies based on threat intelligence data.
If the domain is associated with malware, phishing campaigns or botnet infrastructure, the DNS resolver can block the request before a connection to the malicious server occurs.
DNS firewalls operate inside recursive DNS resolvers. When a user or application attempts to resolve a domain name, the resolver compares the query against security policies and threat intelligence feeds.
If the domain matches a malicious indicator, the resolver may:
This prevents connections to malicious servers even if a user clicks on a phishing link or malware attempts to reach command-and-control infrastructure.
Several technologies are commonly used to implement DNS firewalls.
These mechanisms allow DNS firewalls to continuously update their policies and respond quickly to newly discovered threats.
A DNS firewall should not be confused with a traditional network firewall.
Network firewalls such as nftables, iptables or commercial packet-filtering systems protect servers by controlling which network connections are allowed to reach the system.
DNS firewalls operate at a different layer: instead of filtering packets based on IP addresses and ports, they analyze DNS queries and domain names.
In practice, secure DNS infrastructures combine both mechanisms:
For example, a DNS resolver may run inside a protected environment where a network firewall such as nftables restricts inbound traffic, while the resolver itself applies RPZ policies to block malicious domains requested by clients.
Many cyberattacks rely on domain names to operate. Malware frequently contacts remote command-and-control servers using domain names, and phishing campaigns depend on domains that host fraudulent websites.
By blocking malicious domains at the DNS layer, DNS firewalls can stop attacks before network connections are established.
DNS firewall technology is widely deployed by: