DNS filtering is an important guest WiFi security measure, helping to block malicious websites, illegal activities, and explicit content.
After reading this article you will be able to:
Copy article link
Organizations in the hospitality, travel, healthcare, and food and beverage service industries are often expected to have WiFi available for their customers and clients. Private offices and public spaces may wish to offer WiFi networks for guests as well.
While guests and customers expect these networks to be fast, reliable, and safe, organizations offering guest WiFi need to ensure that they can enforce acceptable use policies and content filtering so they can minimize the risk from arbitrary devices connecting to their networks and browsing the Internet. Secure guest WiFi protects users too by ensuring they are not putting their devices and data at risk by connecting to the network.
User devices loading untrusted domains can result in attacks and breaches that compromise the whole network. Attackers, once inside, can move laterally to get to critical internal infrastructure — breached routers can log traffic from guest devices, for example.
In addition, many organizations want to make sure they are not associated with illegal activities like pirating or with explicit content that might impact the experience of other guests. They may also see the ability to offer reliable and safe WiFi as a differentiator — airlines, for instance, may use secure and fast WiFi as a selling point for travelers.
Domain Name System (DNS) filtering is an effective first line of defense for preventing attacks and unwanted activities. DNS filtering works by preventing certain DNS queries from resolving — stopping websites from matching to IP addresses, which means client devices are unable to find those websites' host servers and connect. Think of phone books from the pre-Internet days: DNS filtering essentially takes the phone numbers and addresses of untrustworthy businesses out of the phone book so that they cannot be contacted.
| Step 1 | Select a DNS filtering service (offered by DNS resolvers) |
| Step 2 | Point all routers to that DNS resolver |
| Step 3 | Set DNS override policies to redirect blocked queries to safe landing pages |
| Step 4 | Select categories of domains to block |
| Step 5 | Use firewall to block DNS queries to other resolvers |
| Step 6 | Block nonapproved VPN usage |
| Step 7 | Consider adoption of more complete network security |
DNS filtering is offered by DNS resolvers. The DNS filtering service an organization should use depends on their use case. Some providers offer generic DNS filtering that blocks explicit content or unsafe websites. They should incorporate some form of threat intelligence to identify and block known or likely malicious domains (they may simply block all newly registered domains; new domains are often used in attack campaigns).
Other use cases may require customization. For instance, some organizations may wish to use DNS filtering for access control for AI apps. Others may want to restrict content more thoroughly than offered by most providers.
Organizations with a wide footprint and many branch locations should consider working with a recursive DNS resolver with a global presence to ensure filtering policies can be enforced regardless of location.
This is a setting to update in all guest network routers so that DNS queries go to that resolver. In some IT configurations, this may be a manual process, and there may be some gaps.
If guests attempt to reach a domain and it simply fails to load they may think there is something wrong with the network. To reduce complaints and IT tickets, set up policies to redirect blocked queries to safe landing pages, captive portals, specific pre-approved websites, or acceptable use policy pages. The latter can help remind users of the rules of the network to reduce the risk that they attempt to circumvent content and security policies in the future.
Block domains based on type of content or security risk level (including programmatically generated domains, known spam domains, or cryptomining domains, for example). See the list of categories available for DNS filtering from Cloudflare.
This involves firewall rules. Configure network firewalls to block outbound traffic on ports 53 and 853. Port 53 is the port for DNS queries — reroute this traffic to the preferred resolver using network address translation (NAT). Port 853 is the official port for DNS-over-TLS, an encrypted protocol for private DNS queries.
Even with these firewall rules, guest devices will still be able to send DNS queries to alternative resolvers over port 443. This is the DNS-over-HTTPS port, and it is the same port that normal HTTPS web traffic uses, so it cannot be blocked without blocking almost the entire Internet. Two possible approaches can help:
Virtual private networks (VPNs) may provide a way around DNS filtering policies, since they encrypt traffic so that firewalls and SWGs cannot see its contents. This includes DNS queries.
Administrators can block nonapproved VPNs by blocking known VPN ports (500/4500 for IPsec VPNs, for instance) via firewall. They can use a firewall with deep packet inspection to identify and block VPN traffic. Or, they can block outbound traffic to known VPN server IP addresses or domains, though again, this blocklisting approach is not likely to work indefinitely.
Even with all these steps taken, guests who are so inclined may be able to find a way around DNS filtering policies. For this reason, DNS filtering should be considered a first line of defense for protecting guests and internal infrastructure, not a complete solution. Many DNS filtering providers come with comprehensive network protection (layer 3 DDoS mitigation, zero trust security, etc.) bundled as well. Consider adopting a secure access service edge (SASE) platform to secure all locations through a cloud-delivered network.
Many industries provide WiFi to maintain a positive customer experience. However, these networks face risks from allowing unknown devices and non-authorized users to connect. Securing the network through DNS filtering protects the organization from being linked to illegal activities or explicit content while preventing attackers from using guest devices to access critical internal systems.
DNS filtering acts as a digital defense by stopping specific DNS queries for untrusted domains from resolving into IP addresses. If a device cannot match a domain name to an IP, it cannot connect to the host server.
To start, an organization selects a filtering service from a DNS resolver and updates their router settings to point to that resolver. They then choose which categories of domains to block and establish override policies to redirect users to safe landing pages. Finally, they should use firewalls to prevent users from bypassing these rules via other resolvers or nonapproved VPNs.
The choice depends on the specific needs of the business, such as the desire to block generic explicit content or the need for advanced threat intelligence to stop newly registered malicious domains. Organizations with many locations should look for a recursive DNS resolver with a global presence to maintain consistent security everywhere.
Administrators can configure network firewalls to redirect or block outbound traffic on ports 53 and 853, which are used for standard and encrypted DNS queries. Because some queries can still travel over port 443, they may also need to block known DoH provider IP addresses or use a secure web gateway (SWG) that performs HTTPS inspection.