Since the Internet's inception, DNS has quietly resolved names to IP addresses while security teams focused on firewalls, intrusion prevention, and endpoint protection. DNS just worked, so nobody worried about it. Threat actors noticed. They began exploiting DNS as a command-and-control channel, a data exfiltration path, and a delivery mechanism for phishing campaigns. The problem intensified as network perimeters dissolved. With users now connecting from airports, hotels, and home offices, DNS has transformed from overlooked infrastructure into a primary attack vector.
To understand how protective DNS is evolving, The Tolly Group recently spoke with Mikey Pruitt, Global Partner Evangelist at DNSFilter. Pruitt's role centers on helping managed service providers (MSPs) and value-added resellers deploy cloud-based protective DNS effectively. The conversation revealed how DNS has transformed from infrastructure utility to security cornerstone, and what organizations need to protect users wherever they connect.
The Disappearing Perimeter Problem
The shift to remote and hybrid work has fundamentally altered how networks operate. "Essentially, the perimeter of the office no longer exists," Pruitt explains. "DNS being the connective tissue of all communication has, I wouldn't say it's necessarily changed in five years, but it's being used more aggressively and with less oversight."
This creates a deceptive sense of security. Users connecting from any location will find a DHCP server and DNS resolver available, whether at home, a hotel, or an airport Starbucks. The question isn't whether connectivity exists, but whether that connectivity is secure.
The answer lies in understanding how adversaries have adapted. "The level and sophistication of attacks using the DNS system are growing and expanding," Pruitt notes. These attacks come in two distinct forms: manipulating the DNS system itself, and exploiting DNS as a delivery mechanism for phishing campaigns and malware distribution.
Built for a Borderless World
DNSFilter's architecture reflects a fundamental recognition that traditional perimeter-based security no longer applies. "DNSFilter was really built from day one as a roaming system," Pruitt explains. "We recognized early that people were going to be in this out of the office world because we were out of the office."
The platform operates a global Anycast network spanning 250 cities with two redundant networks providing automatic failover. This geography-aware architecture ensures users connect to the nearest resolution data center regardless of location, delivering fast query resolution speeds while maintaining consistent security policies.
The system adds a critical security layer on top of standard DNS resolution through AI-driven threat categorization. Every domain query passes through analysis that can block or allow access based on configurable security policies. This approach transforms DNS from passive infrastructure into an active security control point.
The platform's threat intelligence capabilities extend beyond reactive blocking. DNSFilter's research team actively tracks emerging threats like Tycoon 2FA, a sophisticated phishing-as-a-service platform that uses ephemeral subdomains to bypass traditional security. By analyzing patterns across thousands of malicious domains, DNSFilter can identify and block entire threat campaigns before individual organizations become targets. This proactive intelligence means customers benefit from collective defense, where domains get classified and blocked across the entire network based on threat patterns detected anywhere in the system.
Protection That Travels With Users
Protective DNS represents more than blocking malicious domains. "DNS is not just an opportunity to resolve domains. It's more of an opportunity to protect your users, essentially, from themselves," Pruitt explains. The platform addresses multiple threat vectors simultaneously.
Phishing attacks that attempt to lure users to credential-harvesting sites get blocked at the DNS layer before browsers can render malicious pages. Malware already present on devices cannot reach command-and-control servers to receive instructions or exfiltrate stolen data. Insider threats attempting to transmit sensitive information through unauthorized channels face DNS-level restrictions.
When DNS Logs Fill the Gap
Pruitt shared a recent customer incident that illustrates the value of DNS-layer visibility. An MSP received a late-evening alert from a client's SOC flagged as "benign." The client's endpoint detection and mail security logs showed nothing suspicious.
The MSP checked DNSFilter's query logs anyway, filtering to a two-minute window around the alert. Three domains stood out: a Greek banking site, a two-day-old Cloudflare Pages subdomain, and recaptcha-manual.shop, already flagged as malware by DNSFilter.
The attack sequence became clear. An analyst had visited the banking site during legitimate research. A malicious ad presented a fake CAPTCHA that instructed her to paste and execute a PowerShell command. That script would have downloaded Lumma Stealer malware designed to harvest credentials and 2FA tokens.
DNSFilter blocked the payload domain before the malware arrived. Total investigation time: under 30 minutes.
"When security works really well, that's when it never happens," Pruitt notes. The client avoided a breach, but only the DNS logs revealed how close they came.
Performance Without the VPN Penalty
Organizations evaluating protective DNS often question whether the security layer introduces latency. The architecture sidesteps traditional VPN performance concerns through a fundamental design difference.
"We're not really a VPN tunnel," Pruitt clarifies. "You're using a DNS resolver right now, like we all are. The question is, which one do you use?" Rather than creating encrypted tunnels that can introduce overhead, DNSFilter functions as the DNS resolver itself, positioned to intercept and analyze queries without adding intermediary hops.
The global Anycast infrastructure delivers resolution speeds that match or exceed major public cloud providers. Recent widespread internet outages affecting certain cloud platforms left DNSFilter's network unaffected due to deliberate architectural choices. "We spread our infrastructure across many, many providers to avoid things like that, single points of failure," Pruitt explains.
This resilience increasingly matters as organizations depend on consistent connectivity regardless of broader internet disruptions. When one provider experiences issues, the Anycast network automatically routes queries to the nearest functioning node, maintaining service continuity.
Expanding Beyond DNS Filtering
DNSFilter's roadmap reflects broader industry recognition that network security requires integrated capabilities rather than point solutions. "We're going to a point where we're more of a suite of network security versus just protecting DNS," Pruitt explains.
Two major capabilities will launch before year-end. DNS precheck addresses a persistent challenge with 5G networks and captive portals found in hotels, airports, and aircraft. These networks often strip information from DNS queries, creating conflicts with security policies that require user identification and policy application.
Acquired through the Zorus purchase in April of 2025, DNS precheck negotiates domain classification before DNS resolution occurs. This allows protective policies to function even when queries traverse hotel captive portals or mobile carrier infrastructure. "There's always this trade-off between security and convenience," Pruitt acknowledges. "Sometimes you have to give a little bit if you've got people traveling extensively."
CyberSight, another acquisition-driven capability, brings comprehensive visibility into user behavior and application usage. The feature provides security teams with full URL visibility and chronological event timelines that show precisely when users took specific actions. This granular context accelerates incident response by enabling deeper diagnostics that go beyond domain-level blocking. When investigating security events, teams can trace complete user activity patterns across applications, making it faster to identify whether threats exploited legitimate domains through compromised credentials or insider actions.
Looking further ahead, DNSFilter plans to integrate VPN technology acquired years ago. While not currently deployed in the platform, customer demand for enhanced privacy continues growing. "Privacy and security are really hand in hand," Pruitt notes. The VPN integration would encrypt all user traffic, protecting data from interception as it traverses untrusted networks.
What Protective DNS Actually Delivers
The distributed workforce reality means security needs to follow users rather than defend fixed perimeters. DNS-layer protection treats every query as a policy enforcement point, blocking threats before they reach endpoints regardless of network location.
For MSPs, this creates a service offering that doesn't require per-endpoint configuration or constant rule updates. For enterprises, it provides policy consistency without forcing remote traffic through VPN concentrators. Whether users connect from corporate offices or airport WiFi, the same protections apply.
Protective DNS sits alongside endpoint detection, not instead of it. The FixFinder case study demonstrates this: DNS blocking stopped the payload, but the endpoint alert triggered the investigation. Organizations need both layers working together.
As threat actors continue adapting their tactics and remote work becomes standard, DNS represents one of the few security control points that works consistently across any network environment. Organizations already evaluating protective DNS solutions should consider how quickly they can deploy policies that follow users rather than waiting for perimeter-based security to catch up with distributed work patterns.
Key Takeaways
DNS has evolved from background infrastructure to primary attack vector as threat sophistication increases
Traditional network perimeters no longer exist, requiring security that travels with distributed users
Global Anycast network spanning 250 cities delivers consistent security policies with minimal latency impact
Protective DNS blocks phishing, malware command-and-control, and data exfiltration at the resolution layer
Upcoming capabilities address 5G networks, captive portals, user behavior analytics, and VPN integration
MSPs and enterprises both benefit from DNS-layer security that scales across diverse deployment scenarios
Learn More
Visit dnsfilter.com for case studies, technical documentation, and detailed product information. Connect with Mikey Pruitt on LinkedIn for deeper discussions about protective DNS strategies for distributed workforces here, https://www.linkedin.com/in/roadtoCISO/