Free Ebook cover Home Network Security: Securing Wi‑Fi, Routers, and Smart Devices

Home Network Security: Securing Wi‑Fi, Routers, and Smart Devices

New course

9 pages
All courses > Information Technology > Cyber Security ::

DNS Choices, Filtering, and Anti‑Phishing Protections

Capítulo 6

Estimated reading time: 15 minutes

+ Exercise

What DNS Does in Your Home Network (and Why Your Choice Matters)

DNS (Domain Name System) is the service that turns a human-friendly name like bank.example into an IP address like 203.0.113.10 so your devices can connect. Every time you open an app, load a website, or a smart device reaches its cloud service, DNS lookups happen in the background.

From a security perspective, DNS is a control point: if a device is tricked into resolving a malicious domain, it can be redirected to phishing pages, malware downloads, or command-and-control servers. From a privacy perspective, DNS queries reveal a lot about what devices are doing, even when the web traffic itself is encrypted (HTTPS). Your “DNS choice” is essentially deciding who answers those queries, what protections they apply, and how your queries are transported across the network.

In a typical home setup, devices ask the router for DNS settings via DHCP. The router then either forwards queries to an upstream resolver (often your ISP) or runs its own resolver/forwarder. You can change DNS at several layers: per-device, on the router for the whole network, or by running a local DNS filtering service.

Key terms you will see

  • Resolver: the DNS service that answers your device’s queries (ISP DNS, public DNS, or your own local resolver).
  • Recursive resolution: the resolver does the work of finding the final answer by querying authoritative DNS servers.
  • DNS filtering: blocking or redirecting certain domains (ads, trackers, malware, phishing) based on lists or categories.
  • DNSSEC validation: checking cryptographic signatures to reduce DNS spoofing risk for domains that support DNSSEC.
  • DoH/DoT: DNS over HTTPS / DNS over TLS, encrypted transports for DNS between a client and a resolver.

Threats DNS Can Help Mitigate (and What It Cannot)

What DNS protections can do

  • Block known malicious domains: If a device tries to reach a domain associated with phishing, malware, or scams, a filtering resolver can refuse to resolve it or return a safe “blocked” response.
  • Reduce exposure to typosquatting: Some services block newly registered domains or domains with suspicious patterns commonly used in phishing.
  • Provide visibility: DNS logs can show which device is attempting to contact suspicious domains, helping you identify compromised devices or risky apps.
  • Enforce family-safe categories: Optional content filtering can reduce accidental exposure to adult or harmful content.

What DNS protections cannot do

  • Stop attacks by IP address: If malware contacts an IP directly (no domain), DNS filtering won’t see it.
  • Inspect encrypted web content: DNS filtering can block a domain, but it cannot see what happens inside HTTPS traffic.
  • Prevent credential theft on lookalike domains you allow: If a phishing site uses a domain not yet on blocklists, DNS filtering may not catch it.
  • Fix unsafe behavior: DNS protections help, but users still need to verify URLs, avoid unsolicited links, and use strong authentication.

Choosing a DNS Strategy: ISP, Public Secure DNS, or Local Filtering

Option 1: ISP DNS

Many routers default to your ISP’s DNS. It often works reliably and may be geographically close, but security and privacy features vary widely. Some ISPs inject search pages for typos or provide limited filtering; others do no filtering at all. Logging and retention policies are typically not transparent.

Option 2: Public DNS resolvers with security features

Several public resolvers offer malware/phishing blocking, DNSSEC validation, and encrypted DNS (DoH/DoT). This is usually the easiest “upgrade” because you can set it on the router and cover most devices at once.

Continue in our app.

You can listen to the audiobook with the screen off, receive a free certificate for this course, and also have access to 5,000 other free online courses.

Or continue reading below...
Download App

Download the app

When evaluating a public resolver, compare:

  • Security filtering: malware/phishing, newly registered domains, command-and-control blocking.
  • Privacy policy: what is logged, how long, and whether data is used for advertising.
  • Encrypted DNS support: DoT/DoH endpoints for clients/routers that support them.
  • Reliability and latency: performance in your region.

Practical approach: pick one primary resolver and one secondary resolver from the same provider (or two providers if you accept policy differences). Mixing providers can create inconsistent filtering and troubleshooting complexity.

Option 3: Local DNS filtering (Pi-hole, AdGuard Home, or router-integrated filtering)

Running a local DNS filtering service gives you the most control: you can block ads and trackers, enforce categories, and see per-device query logs. Your local service can forward allowed queries to an upstream secure resolver.

This approach is especially useful when you want:

  • Network-wide ad/tracker reduction across phones, TVs, and smart devices (including apps that ignore browser ad blockers).
  • Per-device policies (for example, stricter filtering for kids’ tablets).
  • Incident response visibility (spot a device repeatedly querying suspicious domains).

Trade-off: you are adding a critical service to your network. If the DNS filter host goes down, name resolution may fail unless you plan redundancy or fallback.

Step-by-Step: Set Secure DNS on Your Router (Network-Wide)

The exact menus differ by router brand, but the workflow is consistent. You are aiming to set the DNS servers handed out by DHCP to your chosen resolvers (or to your local filtering server).

Step 1: Decide where DNS will be set

  • Preferred: set DNS on the router’s LAN/DHCP settings so all devices inherit it automatically.
  • Alternative: set DNS per device (useful for testing, or when you cannot change router DNS).

Step 2: Find the DNS settings area

Look for one of these sections:

  • Internet/WAN settings (sometimes labeled “Use these DNS servers”)
  • LAN/DHCP server settings (DNS server fields distributed to clients)
  • Advanced network settings

Some routers have two separate DNS concepts: the DNS the router itself uses (WAN) and the DNS it gives to clients (LAN/DHCP). For consistent behavior, set both if possible.

Step 3: Enter primary and secondary DNS

Enter the IPv4 addresses (and IPv6 if you use IPv6) for your chosen resolver. If you are using a local DNS filter, set the DNS server to the local filter’s IP address (for example, 192.168.1.2).

Step 4: Renew DHCP leases and test

After saving settings, devices may keep old DNS until they renew their DHCP lease. You can:

  • Toggle Wi‑Fi off/on on phones and laptops
  • Reboot a device
  • On Windows, run ipconfig /renew

Then test name resolution and filtering behavior.

Basic verification commands

On Windows (PowerShell):

nslookup example.com

On macOS/Linux:

dig example.com

Look at the “Server” line (nslookup) or “SERVER” line (dig) to confirm which DNS server answered.

Encrypted DNS in the Home: DoH vs DoT and Where to Enable It

Traditional DNS is unencrypted. Anyone on the path between your device and the resolver (for example, your ISP) can potentially observe or tamper with queries. Encrypted DNS reduces passive monitoring and makes tampering harder.

DoT (DNS over TLS)

DoT encrypts DNS using TLS, typically on port 853. It is straightforward for routers and dedicated DNS forwarders to implement. Some networks block port 853, but in home environments it usually works.

DoH (DNS over HTTPS)

DoH sends DNS queries over HTTPS (port 443). It blends with normal web traffic and is less likely to be blocked. Many browsers and operating systems support DoH directly.

Where to enable encrypted DNS

  • On the router: best when your router supports DoT/DoH upstream. Clients still use normal DNS to the router, but the router encrypts DNS to the resolver.
  • On each device: best when you cannot rely on router support, or you want per-device control. Downside: devices may bypass your local filtering if they use their own DoH.
  • On a local DNS filter: many local filters can forward upstream via DoT/DoH, combining filtering with encrypted upstream transport.

Important practical point: if you deploy a local DNS filter, you typically want clients to use the filter as their DNS server, and then configure the filter to use DoT/DoH to an upstream resolver. That gives you filtering plus encrypted DNS beyond your home network.

DNS Filtering Approaches: Blocklists, Categories, and Safe Search

Blocklists (domain-based)

Blocklists contain domains known for ads, tracking, malware, or phishing. When a device queries a blocked domain, the DNS filter returns a non-routable answer or a local “blocked” page (depending on the product).

Practical example: a smart TV app may contact multiple ad and analytics domains. Blocking those can reduce tracking and sometimes improve performance. However, some apps break if they rely on blocked domains for core functionality.

Category-based filtering

Some DNS providers offer categories (adult, gambling, social media, etc.). This can be easier than managing lists, but it is less transparent: you may not know exactly why a domain is blocked.

Safe Search enforcement

Some DNS filters can enforce Safe Search by rewriting DNS responses for search engines to their “safe” endpoints. This is not foolproof (users can use alternative search engines or VPNs), but it reduces accidental exposure on shared devices.

Allowlists and exception handling

Any filtering system needs a way to allow exceptions. A good workflow is:

  • Identify the blocked domain causing the issue (via logs)
  • Confirm it is truly required for the service you want
  • Add it to an allowlist for only the affected device group if possible

Example: if a video streaming device fails to load thumbnails, you might see blocked requests to a content delivery domain. Allowlist that domain for the streaming device group rather than for the entire network.

Step-by-Step: Deploy Local DNS Filtering (Practical Home Setup)

You can run a DNS filter on a small always-on device (mini PC, NAS, or single-board computer) or as a container/VM. The specific installation differs by platform, but the network steps are consistent.

Step 1: Choose the host and assign a stable IP

  • Pick a device that stays on 24/7.
  • Assign it a static IP or a DHCP reservation (recommended) so its address doesn’t change.

Example: reserve 192.168.1.2 for your DNS filter host.

Step 2: Install the DNS filtering software

Follow the vendor’s install guide for your platform. During setup you will typically choose:

  • Listening interface (your LAN)
  • Upstream DNS resolvers (choose secure resolvers, ideally with DoT/DoH support)
  • Default blocklists (start with a conservative set)

Step 3: Point your network to the filter

In your router’s DHCP/LAN settings, set the DNS server distributed to clients to the filter’s IP (for example, 192.168.1.2). Optionally set a secondary DNS server:

  • Security-focused option: leave secondary blank if your router allows it, so clients must use the filter.
  • Availability-focused option: set a secondary to a public resolver so the network still works if the filter is down, but note that this can bypass filtering when the primary is slow or unreachable.

Step 4: Enable logging thoughtfully

DNS logs are useful for troubleshooting and detecting suspicious behavior, but they are also sensitive. Configure:

  • Reasonable retention (for example, days not months, unless you need longer)
  • Access controls on the admin interface
  • Backups only if you understand what data is being stored

Step 5: Test with a controlled block

Add a harmless test domain to a local blocklist (or temporarily block a known ad domain) and confirm:

  • Clients receive the filter as DNS
  • The domain is blocked
  • Other browsing still works

Anti-Phishing Protections Using DNS: Practical Tactics

Use a resolver with dedicated phishing feeds

Not all “secure DNS” is equal. Some providers focus on malware, others include phishing and scam domains, and some add heuristics like blocking newly observed domains. For anti-phishing, prioritize resolvers that explicitly advertise phishing protection and update frequently.

Block newly registered domains (NRDs) where possible

Many phishing campaigns use domains registered within the last few hours or days. Some DNS security services can block NRDs or apply stricter scrutiny. This can reduce exposure, but it can also block legitimate new sites. If you enable NRD blocking, be prepared to allowlist legitimate domains when needed.

Use “typo protection” habits plus DNS checks

DNS filtering is strongest when combined with user habits:

  • Type important sites from bookmarks rather than from memory
  • Be suspicious of lookalike domains (for example, paypaI.example with a capital “I”)
  • Prefer password managers that auto-fill only on the correct domain

DNS can help by blocking known lookalike domains, but it cannot reliably detect every homograph trick. The combination of DNS filtering and password-manager domain matching is much more effective.

Use separate policies for “high-risk” devices and users

Consider stricter DNS filtering for:

  • Kids’ devices
  • Devices used for email and web browsing (common phishing entry points)
  • Devices that cannot run modern endpoint protections

With a local DNS filter, you can group clients and apply different blocklists. If your DNS provider supports profiles, you can apply different policies per device by setting DNS per device.

Preventing DNS Bypass: DoH in Browsers, Hardcoded DNS, and “Rogue” Resolvers

One common surprise is that some apps and devices try to bypass your network DNS settings. This can weaken filtering and reduce visibility.

Browser DoH can bypass local DNS filtering

Modern browsers may enable DoH automatically, sending DNS queries directly to a public resolver over HTTPS. If you rely on local DNS filtering, this can bypass it.

Practical handling:

  • Check browser settings for “Secure DNS” or “DNS over HTTPS” and set it to use your chosen provider or disable it so the browser uses the system resolver (which should be your local filter).
  • If you manage family devices, set browser policies where possible (some browsers support administrative policies).

Some IoT devices use hardcoded DNS

Certain smart devices ignore DHCP DNS and query public resolvers directly. A network-level mitigation is to block outbound DNS to the internet and force DNS through your resolver.

Step-by-step: Force DNS through your chosen resolver (advanced)

This is done with firewall rules on the router or a dedicated firewall. The goal is:

  • Block outbound DNS (UDP/TCP port 53) from LAN clients to anywhere except your DNS server
  • Optionally redirect all outbound DNS to your DNS server (NAT redirect)

Generic rule logic (conceptual):

# Allow clients to query your DNS filter only (replace with your DNS server IP)  ALLOW LAN -> 192.168.1.2 TCP/UDP 53  # Block all other DNS from LAN to the internet  BLOCK LAN -> ANY TCP/UDP 53

Notes:

  • DoH uses port 443, so blocking port 53 does not stop DoH. Handling DoH at the network level is harder and can cause collateral damage because it looks like normal HTTPS.
  • Some DNS filters support detecting known DoH endpoints by domain and blocking them, but this can be an ongoing maintenance task.

DNSSEC, Spoofing Resistance, and Realistic Expectations

DNSSEC adds signatures to DNS records so a validating resolver can detect tampering. If a domain is properly signed and your resolver validates DNSSEC, it becomes much harder for an attacker to spoof DNS answers for that domain.

Practical guidance:

  • Prefer resolvers that perform DNSSEC validation by default.
  • Understand that DNSSEC coverage is not universal; many domains are unsigned.
  • DNSSEC does not encrypt DNS; it only helps ensure authenticity of answers.

Operational Tips: Troubleshooting Breakage Without Disabling Security

Use logs to identify what is blocked

When something breaks (an app won’t load, a device won’t update), avoid the habit of turning off filtering entirely. Instead:

  • Open your DNS filter’s query log
  • Filter by the device’s IP or name
  • Look for blocked queries at the time of the problem

Temporarily allow, then make a narrow exception

Many DNS filters let you temporarily allow a domain for a short time. Use that to confirm causality, then create a narrow allowlist entry if needed.

Watch for “CNAME cloaking” and CDN domains

Some trackers hide behind first-party subdomains using CNAME records. Better DNS filters can detect and block these, but it can also cause unexpected breakage on certain sites. If a site’s login or embedded content fails, check whether a CNAME-related block is involved and allowlist carefully.

Handle captive portals and public Wi‑Fi edge cases

If you take a device to a hotel or café, strict DNS settings can sometimes interfere with captive portals. A practical approach is to keep a quick toggle on your device for DNS settings (or a profile) so you can temporarily revert to automatic DNS when needed, then restore secure DNS at home.

Measuring Effectiveness: What to Look For After You Change DNS

Security signals

  • Blocked phishing/malware domains in logs (especially from email clients or messaging apps)
  • Repeated suspicious queries from a single device (could indicate adware or compromise)
  • Fewer successful connections to known bad infrastructure

Privacy and noise reduction signals

  • Lower volume of ad/tracker domains from smart TVs and mobile apps
  • Faster page loads on content-heavy sites (varies)

Stability signals

  • No frequent “DNS_PROBE_FINISHED_NXDOMAIN” type errors
  • Streaming and smart devices remain functional after allowlisting necessary domains

Practical Configuration Examples (Common Patterns)

Pattern A: Simple secure DNS (no local server)

  • Set router DNS to a security-focused public resolver
  • Enable encrypted DNS on the router if supported (DoT/DoH upstream)
  • Optionally enable family filtering profile if needed

Pattern B: Local DNS filtering + encrypted upstream

  • Run a local DNS filter at 192.168.1.2
  • Set router DHCP DNS to 192.168.1.2
  • Configure the filter’s upstream to use DoT/DoH to a trusted resolver
  • Add conservative blocklists first, then expand
  • Create device groups (kids, TVs, work devices) with different policies

Pattern C: High-control setup (advanced)

  • Local DNS filtering as above
  • Firewall rules to prevent direct outbound DNS (port 53) except to the filter
  • Browser configuration to prevent DoH bypass on managed devices
  • Monitoring alerts for spikes in blocked domains or unusual query patterns

Now answer the exercise about the content:

In a home network using a local DNS filtering service, which setup best preserves network-wide filtering while still encrypting DNS traffic beyond the home network?

You are right! Congratulations, now go to the next page

You missed! Try again.

Clients should query the local filter so policies and logs apply network-wide. Then the filter can use DoT/DoH to a trusted upstream resolver, keeping DNS encrypted outside the home.

Next chapter

IoT Risk Reduction and Network Segmentation Concepts

Arrow Right Icon
Learn Cyber Security

LearnCyber Security

Discover free online courses in Cyber Security, from fundamentals to advanced topics. Gain skills with free certifications in IT Security, Pen Testing, and more today!

 Learn Information Technology

LearnInformation Technology

Our IT free online courses offer top-notch training in the latest technologies and tools, including programming languages, web development, cybersecurity, and more.
Download the app to earn free Certification and listen to the courses in the background, even with the screen off.
QR Code - Baixar Cursa - Cursos Online

Download our app via QR Code or the links below:.

Get it on Google Play Get it on App Store