DNS filtering versus web filtering: What's the difference?

Both content filtering policies basically strive to achieve the same cybersecurity goal—to protect the user (and their system) from harmful content from malicious websites or other bad actors. Each form of access control is built differently to conduct related but separate functions.

DNS filtering is based on the domain name system (DNS) and geared toward intercepting potentially dangerous websites before they can be accessed. Web filtering implies richer, more fully developed security measures that not only detect malicious sites but also conduct analytical examinations of such sites and their methods. 

Before proceeding further, let’s take a moment to review exactly what types of web content are actively sought out for exclusion by both types of filtering.

In previous times, “inappropriate content” has meant “adult content,” which was traditionally used to reference content that was explicitly sexual. Recent trends have seen this umbrella term expand to cover a wider range of potentially offensive material, including sites that traffic in hate speech or violent ideology.

In addition, due in part to the explosion in cellphone camera use and the unprecedented rise of social media outlets, there’s now an online preponderance of user-captured video footage. This type of content includes all things noteworthy, some of it detailing graphic and illegal acts. All such content can be considered inappropriate, although this subjective term remains open to some interpretation.

Now we move on to more purely sinister content. It might or might not contain offensive imagery, but probably won’t, because it’s more effective for it to appear perfectly normal, like a proverbial Trojan horse. That way, users most likely don’t suspect it contains anything beyond regular content.

However, this misleading normalcy can conceal a wide range of cyberattacks, including the introduction of malware into a system to attempt to compromise network security. This type of threat takes on peak urgency when it involves the use of ransomware designed to hold users’ systems hostage until some form of payment is extorted. Harmful content can also hide phishing attacks that try to obtain confidential data.

The third category of web content that requires filtering involves content that isn’t obscene or inflammatory, nor likely detrimental to an organization’s security solution. It’s unwanted, and it might be for any number of reasons.

While it’s true that the term “unwanted” also applies to inappropriate content and harmful content, here we’re really talking about sites that feature unproductive content. Social media sites and unmoderated chat rooms qualify in this categorization, as do sites that feature streaming video. And it includes specific websites that use redirects to lead the user to other websites, or sites bombarding the viewer with unending sequences of advertising messages. 

DNS filtering works by detecting potentially dangerous DNS requests before they can be ran and matched with IP addresses. The sequence goes like this: 

1. A user initiates the process by requesting access to a certain website.
2. In response to such DNS queries, the user’s system issues a DNS request to convert the broader domain name (example: ibm.com) into an IP address.
3. DNS filtering services enter the picture. A DNS filter checks the requested domain against a “blocklist” of potentially dangerous websites.
4. If the requested domain is not flagged on the checked blocklist, the request is honored and the system proceeds to access the website in question.
5. Alternatively, if the requested website has been cited on the blocklist, DNS filtering blocks access to that site and prevents the IP address from being used by DNS servers.

It’s worth noting that when a domain gets blocked by DNS filtering solutions, that block pertains to all the webpages within that domain—and not just to certain potentially dangerous pages. From a security standpoint, DNS filtering helps prevent infiltration by phishing websites and malicious domains.

The web filtering process works a bit differently than DNS filtering. It’s a more precise tool than DNS filtering and has greater analytical depth. However, it lacks the preemptive timing of DNS filtering, and that’s a key distinction between the two. Web filtering steps are comparatively simple: 

1. Web filters examine actual web traffic that’s already moving to the system’s browser and is in the process of being loaded.
2. Web filters allow the user to block specific URLs, portions of specific websites or even whole categories of websites.
3. Network administrators use the precise granular control afforded by web filtering to customize its access. This method covers everything from when to block pages right down to selecting which individual portions of a site can be loaded. 

A key part of the web filtering process is handled by Secure Sockets Layer (SSL), a security solution that forges a securely encrypted link between a web server and a web browser. 

Some striking commonalities exist between DNS filtering and web filtering:

• Both web filtering methodology and DNS filtering solutions use firewalls, although in different ways. Web filtering employs next-generation firewalls (NGFWs) to evaluate web traffic at the application layer and block inappropriate or malicious sites. In contrast, DNS filtering uses a particular type of DNS firewall that works with other security measures operating at the DNS level.

• In terms of antivirus protection, there isn’t one dominant antivirus protection in DNS filtering. Instead, companies tend to opt for any one of many specialized, custom DNS filtering services, such as Cloudflare Gateway, Cisco Umbrella and Control D. Similarly, there is a profusion of antivirus and endpoint security solutions designed expressly for web filtering, like Microsoft Defender, Norton and McAfee.

• Both DNS filtering and web filtering use a security solution called a Secure Web Gateway (SWG). In DNS filtering, the SWG functions as a protective layer. One commonly found feature of SWG is URL filtering, which allows administrators to examine and evaluate full web addresses. SWGs run comprehensive web filtering by closely checking all internet traffic and installing page blocks as necessary.

• Virtual private networks (VPNs) work with web filtering systems by supplying an encrypted connection capable of bypassing the restrictions that govern local networks. DNS filtering typically works by preventing access to specific websites at the DNS level. Although VPNs usually bypass DNS filtering, numerous VPN providers offer their own DNS filtering schemes, which are built into those services.