DNS Filtering Guide — Block Ads, Malware & Adult Content
DNS filtering is one of the simplest and most effective ways to protect your network. It works at the DNS level, blocking access to known malicious, inappropriate, or unwanted domains before your browser even connects to them. No software to install on each device. No complex firewall rules.
The idea is straightforward. When a device on your network tries to resolve a domain that is on a blocklist, the DNS resolver returns a blocked page or a null response instead of the real IP address. The connection stops before it starts. The user simply sees a page that says the site cannot be reached.
This approach is not perfect — sophisticated malware can bypass DNS filtering — but it stops the vast majority of threats and unwanted content with almost no performance impact.
How DNS Filtering Works
DNS filtering providers maintain constantly updated blocklists of domains. These lists come from threat intelligence feeds, security research organizations, and user reports. When a domain appears on a blocklist, the provider's resolver does not return the real IP address. Instead, it returns a redirect to a block page or a synthetic NXDOMAIN response that makes the domain appear nonexistent.
The filtering happens at the DNS resolver, not on your device or your network. You configure your device or router to use the filtering provider's DNS servers. From that point on, every DNS query goes through the filter. The provider's servers check each domain against their blocklists before responding.
Different providers use different blocklist categories. You can typically choose what to block: malware, phishing, adult content, social media, gaming sites, or advertising networks. Some providers let you customize blocklists or whitelist specific domains.
Why Use DNS Filtering?
DNS filtering is set-and-forget. Configure it once on your router, and every device on your network is protected — including IoT devices, smart TVs, and game consoles that cannot run security software. This is the biggest advantage over device-level filtering.
It stops threats before they reach your browser. Malware domains, phishing sites, and cryptocurrency mining scripts all rely on DNS lookups to connect to their command-and-control servers. Blocking those domains at the DNS level breaks the attack chain before any code executes on your device.
DNS filtering also improves browsing performance. Ad-blocking DNS filters block tracking domains and ad servers. Pages load faster because your browser is not downloading ads, tracking scripts, and analytics beacons. On a typical news website, ads account for 50-70% of the page weight. Blocking them at the DNS level saves bandwidth and speeds up page loads.
For parents, DNS filtering provides content control without invasive monitoring. You can block adult content, gambling sites, and social media platforms without installing spyware on your children's devices. The filter works on any network they connect to at home.
Best DNS Filtering Providers Compared
Cloudflare Gateway
Cloudflare offers DNS filtering through its Gateway product. It blocks malware, phishing, and adult content categories. You get full analytics showing what domains were blocked and how many queries each device made. Cloudflare Gateway requires a free Cloudflare account to configure the filtering policies. The DNS servers are the standard 1.1.1.2 (malware blocking) and 1.1.1.3 (malware + adult content).
Quad9
Quad9 (9.9.9.9) blocks known malicious domains including malware, phishing, and botnet command-and-control servers. It uses threat intelligence from multiple security companies including IBM X-Force, Abuse.ch, and Alexa. Quad9 is completely free and requires no account or configuration. It also performs DNSSEC validation on all queries. The downside is that you cannot customize the blocklist — Quad9 decides what is malicious.
NextDNS
NextDNS is the most customizable filtering option. You can choose from dozens of blocklist categories including ads, trackers, malware, phishing, adult content, social media, gaming, and piracy. You can create allowlists and denylists, configure blocking policies by time of day, and view detailed analytics per device. The free tier covers 300,000 queries per month, which is enough for a family.
AdGuard DNS
AdGuard DNS (94.140.14.14) is specialized for ad blocking. It maintains an extensive blocklist of advertising and tracking domains. The family protection version (94.140.14.15) also blocks adult content. AdGuard DNS is free and works out of the box without configuration.
OpenDNS Family Shield
OpenDNS Family Shield (208.67.222.123 and 208.67.220.123) blocks adult content automatically. It is maintained by Cisco and has one of the most comprehensive adult content blocklists. There is no configuration needed — just point your DNS to these addresses and adult content is blocked.
For a complete comparison of all major providers, see our DNS providers page.
How to Set Up DNS Filtering
Setting up DNS filtering is simple. You have three options depending on how much control you want.
Option 1: Change your router's DNS settings. Log into your router's admin panel, find the DNS configuration page, and enter the filtering provider's DNS addresses. This applies the filter to every device on your network. It is the most effective approach for home users.
Option 2: Change individual device settings. If you cannot change the router settings (for example, on a corporate network), configure DNS filtering on individual devices. Windows, Mac, Android, and iOS all allow custom DNS settings. This is more work but gives you per-device control.
Option 3: Use a local filtering solution. For advanced users, running Pi-hole or AdGuard Home on a Raspberry Pi gives you complete control over filtering. You can use custom blocklists, see detailed statistics, and fine-tune every aspect of the filter.
Whichever option you choose, test the filter afterwards. Try visiting a known malware test domain or an adult content site to confirm the block is working. Check our guide on DNS parental controls for more detailed setup instructions.
Limitations of DNS Filtering
DNS filtering is not a complete security solution. It only blocks domains that are on a blocklist. New malicious domains are created constantly, and there is always a delay between a domain going live and appearing on blocklists. This window of vulnerability is called the "zero-hour gap."
Some malware uses hardcoded IP addresses instead of domain names. Since there is no DNS lookup, DNS filtering does not catch those connections. Advanced malware can also use domain generation algorithms to create new domains faster than blocklists can track them.
DNS filtering can also cause false positives. Legitimate services sometimes get blocked because they share infrastructure with malicious domains. CDNs shared by good and bad sites are a common source of false blocks. Most filtering providers offer a way to report false positives and request unblocking.
For comprehensive protection, combine DNS filtering with a good antivirus, a firewall, and safe browsing habits. DNS filtering is a powerful layer, but it is not a replacement for other security measures.