Block threats at the
network's front door
DNS filtering intercepts malicious requests before a connection is even made — protecting every device on your network without installing software on each machine. W3IT deploys, configures and manages it for you.
We run secure DNS on our own infrastructure. Every configuration option we recommend has been validated on live systems — not just tested in a lab. We know exactly what the logs look like and what to watch for.
Most threats start with a DNS lookup
Every time a browser loads a page, an email client checks for messages, or malware phones home — it starts with a DNS query. That single chokepoint is your most efficient place to block threats.
- Phishing sites load instantly A convincing fake login page takes seconds to visit. DNS filtering blocks the domain before the page even begins to load.
- Malware needs DNS to function Command-and-control (C2) servers, ransomware check-ins and data exfiltration all rely on DNS. Cutting DNS access silences them.
- No visibility without logs Most SMEs have no record of what sites their devices are visiting. DNS logs reveal compromised machines, shadow IT and policy violations.
- Antivirus alone isn't enough Signature-based antivirus misses novel threats. DNS filtering based on threat intelligence blocks brand-new domains before signatures exist.
Five layers of DNS protection
Each layer adds a category of threat that the previous one doesn't cover.
Threat Intelligence Feeds
Domains associated with known malware distribution, phishing campaigns and botnet command-and-control are blocked using continuously updated threat intelligence feeds from multiple vendors. New domains are typically blocked within minutes of being listed.
Newly Registered Domain Blocking
Over 70% of malicious domains are used within 48 hours of registration, before threat intelligence picks them up. We optionally block or flag all domains registered in the last 30 days — a lightweight rule that catches a disproportionate number of attacks.
Category-Based Filtering
Block entire categories of sites — gambling, adult content, personal file sharing — based on your acceptable use policy. Useful for compliance requirements and for reducing the risk of shadow IT bypassing your data controls.
DNS-over-HTTPS (DoH) Enforcement
Standard DNS queries travel in plaintext, exposing browsing activity to anyone on the same network. DNS-over-HTTPS encrypts every query, preventing eavesdropping on public Wi-Fi and protecting sensitive research or client lookups.
Query Logging & Alerting
Every DNS query is logged. You get a dashboard showing blocked domains, query volume by device and alerts when a machine queries a high-risk domain — even one that wasn't blocked. This visibility is invaluable during incident response.
Threat categories covered
Phishing
Fake login pages, credential harvesting sites and business email compromise infrastructure.
Ransomware
Ransomware distribution sites, encryption key exchange servers and ransom payment portals.
Botnet C2
Command-and-control infrastructure used by malware to receive instructions and exfiltrate data.
Spam Infrastructure
Domains used to send bulk spam, promote scams or host spam-related landing pages.
Cryptomining
Browser-based and installed cryptomining scripts that steal CPU resources from your devices.
Adware & Trackers
Aggressive ad networks and tracking infrastructure that slow browsers and violate staff privacy.
What we commit to
No Browsing Slowdown
Properly configured DNS filtering adds under 1ms to page load times. We optimise resolver placement so there is no noticeable impact on speed.
No Legitimate Sites Blocked
We tune allowlists for your business before going live. If a legitimate site is ever incorrectly blocked, we unblock it within the hour.
Covers All Devices
DNS filtering applies to every device on your network — including BYOD, IoT devices and smart TVs — without any per-device configuration.
Always Up to Date
Threat intelligence is updated continuously. You don't need to manage updates — new malicious domains are blocked as soon as they're identified.
Start protecting your network at the DNS layer
Most deployments are complete within a single working day. Get in touch to discuss your network size and configuration requirements.