CIS Control 9.2: DNS Filtering Services
DNS filtering is your first line of defense against malware and phishing attacks. By blocking access to known malicious domains at the DNS level, you prevent users from reaching dangerous sites before any damage occurs. This control is essential for reducing infection risk across your entire enterprise.
What this means
DNS filtering services intercept domain name resolution requests and block known malicious domains before they load. Instead of allowing users to connect to dangerous sites, the DNS filter returns a block page or null response. This applies to all enterprise assets—workstations, servers, mobile devices, and IoT endpoints—ensuring consistent protection across your network infrastructure.
How to comply
- 1.Deploy DNS filtering at your network gateway or use a cloud-based DNS filtering service accessible from all locations
- 2.Maintain an updated blocklist of known malicious domains from threat intelligence feeds
- 3.Configure filtering rules to block command-and-control (C2) domains, phishing sites, and malware distribution servers
- 4.Test filtering effectiveness by attempting to access known blocked domains
- 5.Log all DNS filtering events and review blocked requests regularly for security insights
- 6.Implement allow-list exceptions only for legitimate business requirements with documented approval
- 7.Ensure DNS filtering applies to all enterprise assets regardless of network connection method
Evidence auditors look for
- DNS filtering service configuration documentation showing blocklist sources and update frequency
- Network logs demonstrating blocked malicious domain access attempts with timestamps
- Blocklist integrity reports showing current malicious domain count and last update date
- Test results confirming filter blocks known malicious domains and known-good domains pass through
- DNS query logs showing enforcement across workstations, servers, and mobile devices
- Configuration screenshots of filtering rules for malware, phishing, and C2 domain categories
- Approval records for any allow-list exceptions with business justification
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates DNS filtering control audits by collecting and validating filter configurations, blocklist status, and blocked-request logs across all assets—eliminating manual evidence gathering for CIS Control 9.2 assessments.
See how GRCWatch handles this control automatically
Start free trial