Home/ Services/ DNS Filtering
SERVICE · DNS

Block the
lookup.
Skip the breach.

Protective DNS / DNS-layer filtering for UK SMBs

Protective DNS on every device, everywhere they go. Malware can't call home if it can't resolve the hostname. Phishing can't harvest credentials from a page that never loads.

Deploy DNS filter What's included
Cloudflare Gateway DNSFilter Roaming agent Anywhere, any network
01 / WHAT'S INCLUDED

Six categories
of lookup
we handle.

01

Malware & C2

Threat intel feeds block known-bad infrastructure — malware delivery, botnet control, cryptominers, info-stealers.

02

Phishing & newly-registered

Known phish domains blocked. Newly-registered and newly-observed domains quarantined by default — the first 24h is when phish runs hot.

03

Content categories

Adult, gambling, weapons, P2P, proxies, anonymisers. Set your policy, we enforce it with audit trail.

04

Cloud/shadow IT control

Block or allow specific SaaS apps (uncontrolled Dropbox, personal Gmail, AI tools). Data-exfil mitigation, visibility included.

05

Roaming enforcement

Agent on Windows and macOS. Protected at home, on hotspot, at the coffee shop — same policy as the office.

06

Log, hunt, report

Full DNS query log piped to the SOC. Used for threat hunting, compliance and post-incident investigation.

02 / HOW WE RUN IT

Scope. Deploy.
Tune. Watch.

  1. STEP 01

    Scope

    Short workshop: what categories to block, which SaaS to gate, who the exceptions are (execs, marketing). Policy documented.

    • Policy pack
    • Exception register
    • Roll-out plan
  2. STEP 02

    Deploy

    Agent pushed via MDM. Office DNS pointed at the filter. Roaming clients register automatically. Typical full deploy: one business day.

    • Intune / Addigy push
    • Office DNS
    • Roaming live
  3. STEP 03

    Tune

    First 2 weeks: unblock workflow triaged daily. By week 3, noise is ~zero. Self-service unblock portal live for users.

    • Self-service unblock
    • False-positive review
    • Category refinement
  4. STEP 04

    Watch

    Query logs feed the SOC. Suspicious patterns (DGA-like, C2 beacons, data-exfil) trigger investigation — not just blocked, investigated.

    • SOC feed
    • Monthly report
    • Threat hunts
03 / WHY IT MATTERS

The cheapest
control with
the biggest bite.

Every malware and phishing operation starts with a DNS lookup. Block the lookup and almost everything else gets easier: fewer EDR alerts, fewer user clicks to triage, fewer ransomware near-misses. For a few pounds per user per month, it's the single best-value security control we deploy.

  • Commodity threats stopped at the queryMost malware never makes it past the first DNS call.
  • Everywhere protectionHome, hotel, tethered. Doesn't matter — policy follows the device.
  • Shadow IT visibilityWhich SaaS apps are people actually using? Now you know.
  • Evidential logsEvery query archived. Priceless for incident response and audits.
QUERY · POLICY · VERDICT microsoft.com ALLOW slack.com ALLOW login.microsft-office.io BLOCK · PHISH hxxp-c2.evil.tld BLOCK · C2 dropbox.com GATE · SHADOW IT techzura.com ALLOW xj3k9s.newly-reg.top BLOCK · NRD LIVE QUERY STREAM · SIMPLIFIED
04 / FAQ

Questions
we hear a lot.

Isn't DNS filtering just an ad blocker?

No. Ad blockers run per-browser. Protective DNS runs at the network layer for every app, every connection. It blocks malware C2, phishing, and known-bad infrastructure before anything connects.

Does it work off-network?

Yes. Roaming agents on Windows and macOS route DNS to the filter anywhere — home, hotel, coffee shop, tethered. Same policy everywhere.

Will it block legitimate sites?

Occasionally, at first. We tune categories to your industry during onboarding, and users can request unblocks via a self-service page — approved/denied by your admins, not us.

What does it cost relative to the value?

DNS filtering is the highest-ROI security control we sell. A few pounds per user per month, blocks the overwhelming majority of commodity phishing and malware before it can do harm.

Which vendor do you use?

Cloudflare Gateway for most — great performance, excellent integrations. DNSFilter for clients needing deeper category control. We pick per fit.

Does it conflict with VPNs?

No, when configured correctly. We handle the co-existence with your VPN/SSE stack during deployment.

RELATED SERVICES

Often runs with.

01

Managed EDR

DNS catches the lookup; EDR catches anything that bypasses it. Defence in depth.

Read more 02

Email security

Email security rewrites the URL, DNS filtering blocks the query if it ever resolves.

Read more 03

Patch management

Close the known holes attackers exploit. Pairs with DNS for a clean preventive posture.

Read more
NEXT STEP

48-hour
passive audit.

Point your DNS at our collector for 48 hours. We'll show you every risky query, every shadow-IT app, every potential C2 your stack missed.

Book the audit hello@techzura.com
DEPLOY
< 1 hr
ROAMING
Yes
SOC
24/7