← Concepts
Security OperationsSY0-701 · Task 4.5

DNS filtering — SY0-701

DNS filtering blocks malicious or policy-violating domains at the DNS resolution layer — before any connection is made. Security+ SY0-701 concept reference.

WHAT IT IS

DNS filtering is a security control that intercepts DNS queries and blocks — or redirects — resolution of domain names that match a blocklist or policy rule. Because the Domain Name System is "the system by which Internet domain names and addresses are tracked and regulated" (NIST SP 1800-16B, citing RFC 1034), every outbound connection that uses a hostname must pass through a DNS resolver. DNS filtering places a policy enforcement point at that resolver step.

When a query matches a blocked domain, the resolver either returns no answer or returns the address of a controlled host instead of the legitimate one. The client never receives a routable path to the destination, so the connection attempt fails before any payload is exchanged.

Mental model

Think of DNS as a directory lookup that happens before any data moves. DNS filtering is a policy gate on that lookup — not on the traffic itself. If the name is not allowed to resolve, the "call" cannot be placed.

When to use it

DNS filtering and a network firewall both restrict which destinations clients can reach, but they enforce policy at different layers and with different granularity.

DimensionDNS filteringNetwork firewall
Enforcement layerDNS resolution (name lookup)Network / transport (IP, port, packet)
What is inspectedDomain name in the DNS queryIP address, port, protocol, packet headers
Blocking mechanismRefuses or redirects name resolutionDrops or rejects packets based on rules
GranularityPer domain name or domain categoryPer IP address, port, or protocol
Requires SSL inspection?No — operates before a connection is madeRequired to inspect encrypted payloads
NIST groundingNIST SP 1800-16B/D (DNS management); RFC 1034NIST SP 800-41 Rev. 1 ("controls the flow of network traffic between networks or hosts")

DNS filtering is well suited to blocking access to known-malicious domains (command-and-control infrastructure, phishing sites) because the enforcement point — the resolver — sees every hostname lookup regardless of destination port or protocol. A firewall operating on IP addresses alone cannot act on domain names that were not yet resolved.

COMMON MISCONCEPTION

DNS filtering does not inspect or block the content of network traffic. It acts only on the name resolution step. Once a domain resolves successfully, DNS filtering has no further visibility into what the client sends or receives. A candidate who concludes that DNS filtering provides deep packet inspection or content scanning is applying the wrong mental model — that function belongs to controls operating at a different layer.

A related trap: because DNS filtering can block domains by category, candidates sometimes treat it as equivalent to a web content filter. The distinction is that a web content filter typically operates as a proxy — "a server that services the requests of its clients by forwarding those requests to other servers" (CNSSI 4009-2015) — and can inspect HTTP/HTTPS content after the connection is established. DNS filtering acts before the connection exists and has no visibility into page content.

Also worth noting: RFC 4033 explicitly states that DNS "will return the same answer to any given query regardless of who may have issued the query." DNS filtering overrides this behavior intentionally — it is a departure from standard DNS operation, not a built-in DNS security feature. DNSSEC, by contrast, "provides authentication by associating cryptographically generated digital signatures with DNS RRsets" (RFC 4033); it authenticates DNS data but does not filter destinations.

How it shows up on the exam

The cognitive target for DNS filtering questions in the Security Operations domain is distinguishing which control layer a given scenario requires. Candidates are expected to recognize that:

  • When a scenario describes blocking access to domains (by name or category) before connections are made, DNS filtering is the appropriate control.
  • When a scenario describes inspecting or blocking traffic content or payloads, DNS filtering is not the right answer — a proxy, content filter, or next-generation firewall with inspection capability is called for.
  • When a scenario introduces DNSSEC, candidates should recognize it as a data-integrity and authentication mechanism for DNS records, not as a filtering or access-control mechanism.

Signal phrases that may indicate a DNS filtering context include references to blocking "known-bad domains," preventing resolution of command-and-control hostnames, or redirecting queries for policy-violating sites. The misconception the exam exploits is conflating the name-resolution layer with the traffic-inspection layer — understanding that DNS filtering acts entirely before a TCP/IP connection is established is the key discriminator.

Related concepts

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.