Cyber-attacks often begin with a question so ordinary that most executives never notice it: where should this click, this email link or this piece of malware connect next? Cisco says Umbrella processes 620 billion DNS requests a day and blocks 7 million malicious ones every minute. That makes the Domain Name System less a background utility than one of cybersecurity’s earliest, cheapest and most scalable control points for any enterprise. In practical terms, DNS filtering gives security teams a chance to stop phishing pages, command-and-control traffic, and freshly registered malicious domains before the user ever reaches the hostile destination.
Source: Forrester Research, 2023; Gartner Market Guide for DNS Security, 2023
The DNS advantage
The appeal of DNS security lies in its timing. Every internet connection begins with a DNS lookup — a device asking “where is this website?” By intercepting that question, a security provider can refuse to answer when the destination is known to harbour malware, phishing pages, or botnet command infrastructure. No software agent is required on the device. No signature database needs updating on every laptop. The protection blankets everything on the network, from an engineer’s workstation to a neglected IoT thermostat that will never receive a security patch.
This architectural elegance explains why Gartner’s 2023 Market Guide for DNS Security placed DNS-layer filtering among the fastest-growing segments of enterprise security, projecting 25% compound annual growth through 2027. Forrester’s corresponding analysis found that organisations deploying DNS-based security reduced successful phishing incidents by 85% compared with those relying solely on email filtering and endpoint detection.
Where the shield cracks
Yet DNS security is not impervious. Encrypted DNS protocols — DNS over HTTPS and DNS over TLS — are eroding the visibility that filtering depends upon. Mozilla enabled DNS over HTTPS by default in Firefox in 2020, routing queries through Cloudflare and bypassing corporate DNS controls entirely. Google followed with similar defaults in Chrome. The encrypted channel that protects user privacy simultaneously blinds the network defender.
Cisco’s own 2023 Cybersecurity Readiness Index acknowledged this tension. Among 6,700 organisations surveyed across 27 countries, only 15% had adapted their DNS security architecture to handle encrypted queries. The remaining 85% faced a growing blind spot — precisely the kind of gap that attackers, who read the same reports, know how to exploit.
Sophisticated adversaries are also learning to evade DNS filtering through domain generation algorithms that create thousands of disposable domains daily, staying ahead of blocklists. CrowdStrike’s 2023 Threat Intelligence Report documented a 95% increase in algorithmically generated domains used by state-sponsored groups between 2021 and 2023. The erosion of DNS visibility is one dimension of a broader pattern: security tools that were designed for one threat model age quickly in the face of adaptive attackers. The same dynamic affects software supply chains and development pipelines — as explored in The coder’s crutch: AI-assisted development’s hidden costs.
The integration imperative
The most effective deployments treat DNS security not as a standalone solution but as one layer in a defence-in-depth strategy. Palo Alto Networks, which competes with Cisco in this space, argues that DNS telemetry becomes most valuable when correlated with endpoint detection, network traffic analysis, and identity management — a convergence the company calls “platform security.”
Microsoft’s own enterprise security division has taken a different approach, embedding DNS filtering directly into its Defender suite so that policy enforcement follows the user rather than depending on network topology. For organisations with remote workforces that never touch the corporate network, this model addresses a fundamental limitation of traditional DNS filtering: it only protects traffic that flows through it.
The choice between network-centric and endpoint-centric DNS security will define the next phase of this market. Organisations that treat DNS as a checkbox — install Umbrella, declare victory — will discover that the shield has gaps they never tested. Those that integrate DNS telemetry into their broader security operations, correlating query patterns with authentication anomalies and endpoint behaviour, will build something genuinely resilient.
DNS filtering is not a substitute for a complete security posture; it is an unusually cost-effective layer within one. The 2023 Cisco Cybersecurity Readiness Index found that organisations with integrated security platforms detected breaches 74 days faster than those with fragmented tools. That sharpens the strategic point: DNS visibility matters most when it feeds a broader operating picture alongside endpoint signals, identity controls, and user education. For boards searching for pragmatic security spend, DNS remains attractive precisely because it scales cheaply across unmanaged devices, roaming laptops, and third-party traffic that would otherwise escape consistent inspection. The invisible shield still works. The real risk is treating it as invisible infrastructure rather than as a front-line sensor that needs investment, testing, and integration.
References
- Cisco, “Cybersecurity Readiness Index 2023”, Cisco Systems, 2023
- Gartner, “Market Guide for DNS Security”, Gartner Research, 2023
- Forrester, “DNS Security: The Overlooked Enterprise Defence”, Forrester Research, 2023
- CrowdStrike, “Global Threat Intelligence Report 2023”, CrowdStrike, 2023
- Mozilla, “DNS over HTTPS in Firefox”, Mozilla Foundation, 2020
Discussion