← Back to Library
DNS Filtering & Policy Introductory 7 min read

How DNS Filtering Works

A conceptual explanation of how DNS filtering fits into the DNS resolution process, and what is actually happening when a domain is blocked.

Updated January 27, 2026

DNS filtering is often described as a way to block websites. That phrasing is convenient, but misleading. DNS filtering does not block network traffic or inspect content. It changes how DNS resolution behaves when a query matches a defined policy.

This article explains DNS filtering by placing it inside the normal DNS resolution process, then following the consequences of that decision far enough to explain what people experience as a “blocked domain”. DNS filtering is commonly used for both content policy enforcement and DNS security, but the underlying mechanism is the same in each case.

DNS resolution before filtering is applied

In a typical environment, an application asks the operating system to resolve a domain name. The OS stub resolver sends a DNS query to its configured recursive resolver.

The recursive resolver checks its cache. If a valid answer exists, it can return that answer immediately. If not, it performs recursive resolution by querying other DNS servers until it can construct a response.

At this stage, DNS is only answering a naming question. No IP connection has been attempted, and no application data has been exchanged.

Where DNS filtering fits into resolution

DNS filtering is not a separate protocol or a special operating mode. It is a set of policy checks applied by a recursive resolver or DNS forwarding component during resolution.

The policy decision usually occurs at one of two points:

  • Before the resolver attempts to resolve the name externally
  • Before a cached answer is returned to the client

In both cases, the input is the DNS query itself. The queried name, query type, and sometimes contextual information about the client are evaluated against a rule set.

If the query is allowed, resolution continues normally. If it is denied, the resolver deliberately changes the outcome of the lookup.

Conceptual DNS filtering decision point inside recursive resolution
Figure 1: DNS filtering as a policy decision inside the recursive resolver workflow

What “policy” means at the DNS layer

In DNS filtering, policy determines how specific DNS questions should be handled. The policy does not evaluate web content or application behavior. It evaluates domain names.

Common policy inputs include the queried domain or subdomain, pattern matching on labels, categorization or reputation metadata, and context such as network, user, or device identity.

For example, a policy might deny queries for any subdomain of malware-distribution.net, or deny queries for domains categorized as gambling by an external classification feed.

None of these concepts are defined by the DNS protocol itself. They exist entirely at the resolver or forwarding layer and vary by environment and implementation.

How a resolver enforces a deny decision

DNS does not define a standard way to say “this domain is blocked”. When a resolver denies a query based on policy, it must still return a response that fits DNS semantics.

Common approaches include:

  • Returning NXDOMAIN, indicating the name does not exist
  • Returning an error or no response
  • Returning an address that is not the original destination

Each choice has tradeoffs. NXDOMAIN can interfere with fallback behavior. Silent failure can resemble network problems. Returning an alternate address preserves resolution but changes where the client will attempt to connect.

RFC reference
The DNS protocol defines response codes such as NXDOMAIN and REFUSED, but does not define blocking semantics. Those decisions are applied by resolver policy, not by the protocol itself, as specified in RFC 1034 and RFC 1035.

Sinkholing as a DNS response pattern

When a resolver returns an address that intentionally leads somewhere other than the requested destination, this is commonly referred to as sinkholing.

From a DNS perspective, sinkholing is simply answer substitution, returning a different IP address than the authoritative server would have provided.

DNS itself has no concept of redirection or intent. It only returns records. What happens after that depends on how the client and applications use the result.

What happens after DNS returns an answer

Once a DNS response is returned, DNS is finished. The resolver does not participate in connection setup, encryption, or application behavior.

What users experience next depends on how applications interpret the DNS result:

  • An NXDOMAIN response may appear as “site not found”
  • A substituted address may lead to a reachable service
  • An error or timeout may look like a network failure

In some environments, substituted addresses lead to an informational web page explaining the policy decision. That page is delivered by a web service, not by DNS itself.

Case example
A user opens a browser and navigates to a domain categorized as gambling. The recursive resolver matches the query against policy, returns a sinkholed address, and the browser connects to that address instead of the original server. If the sinkhole serves a block page over HTTP, the user sees an explanation. If the original request was HTTPS, the browser may show a certificate error because the sinkhole server cannot present a valid certificate for the blocked domain.

Why HTTPS complicates blocked domains

Modern applications commonly use HTTPS, which introduces additional constraints. When a client connects to a substituted address, the server it reaches must still present a certificate that matches the original domain name.

If it does not, browsers may display certificate warnings or refuse the connection entirely. This behavior is a result of TLS validation, not DNS filtering.

Did you know?
A DNS filter can return any IP address it wants, but it cannot forge a TLS certificate. This is why blocked HTTPS sites often show certificate errors rather than block pages, unless a custom certificate is installed on the client.

Because of this, the same DNS policy decision can produce different visible outcomes depending on protocol, application, and client behavior.

What DNS filtering can and cannot influence

DNS filtering operates early in the connection lifecycle. It can influence whether a client learns an address for a name, or which address it learns.

It cannot inspect application content, modify traffic in transit, or enforce policy after a connection is established.

These limits are inherent to DNS and are explored more directly in later articles in this section.

Summary

DNS filtering works by applying policy decisions during normal DNS resolution. It evaluates domain name queries and deliberately alters DNS responses when policy requires it.

What people perceive as a “blocked domain” is the result of those DNS responses interacting with applications, encryption, and client behavior. Understanding where DNS stops and other layers begin is key to understanding both the power and the limits of DNS filtering.

Tags: dns filtering dns policy recursive resolvers
Previous Article Why Attackers Use DNS DNS Security & Abuse