Understanding the Domain Name System
Before we can understand DNS filtering, we need to understand DNS itself. The Domain Name System is often called the "phone book of the internet." When you type example.com into your browser, your device does not actually know how to reach that website. It needs to look up the IP address associated with that domain name, just like you would look up a phone number in a directory.
This lookup process happens every time you visit a website, load an image, or make any network request. Your device sends a DNS query to a DNS server asking, "What is the IP address for this domain?" The server responds with the answer, and your device can then connect to the correct server.
How DNS Filtering Works
DNS filtering takes advantage of this lookup process to block unwanted content. A DNS filtering server maintains a list of domains known to serve ads, track users, or distribute malware. When a DNS query comes in for one of these domains, the server refuses to resolve it, returning either an empty response or a special "blocked" response.
The Filtering Process Step by Step
- Your device wants to load a webpage, which includes an ad from
ads.tracker-network.com - Your device sends a DNS query for
ads.tracker-network.comto the DNS filtering server - The server checks its blocklist and finds a match
- Instead of returning the real IP address, the server returns
0.0.0.0orNXDOMAIN(domain does not exist) - Your device cannot connect to the ad server, so the ad never loads
- Meanwhile, legitimate domains like
example.comare resolved normally
DNS Filtering vs. Browser-Based Ad Blocking
DNS filtering and browser-based ad blocking are complementary technologies that work at different layers of the network stack. Understanding their differences helps you choose the right combination for your needs.
| Aspect | DNS Filtering | Browser Ad Blocker |
|---|---|---|
| Scope | All devices and applications | Single browser only |
| Granularity | Domain-level only | URL-level and element-level |
| Resource usage | Minimal (no client software) | Uses browser memory/CPU |
| HTTPS inspection | Not needed | Often required |
| Cosmetic filtering | Not possible | Yes (hides page elements) |
| Same-domain ads | Cannot block | Can block |
| Setup complexity | Change DNS settings | Install extension |
The Limitations of DNS Filtering
DNS filtering has one fundamental limitation: it operates at the domain level only. If ads are served from the same domain as legitimate content (for example, youtube.com serving both videos and ads from the same domain), DNS filtering cannot distinguish between the two. A browser-based ad blocker can examine individual URLs and page elements to make more precise blocking decisions.
Additionally, DNS filtering cannot perform cosmetic filtering. Even when an ad is blocked at the DNS level, the webpage may still show an empty space or a broken image placeholder where the ad would have appeared. Browser-based ad blockers can remove these visual artifacts using CSS rules.
Types of DNS Filtering Solutions
There are several ways to implement DNS filtering, each with its own advantages:
Public DNS Services
Services like AdGuard DNS, NextDNS, and Quad9 offer DNS filtering as a cloud service. You simply point your device or router to their DNS servers. This is the easiest option but offers the least customization. AdGuard DNS, for example, blocks ads and trackers using the same filter lists as AdGuard's other products.
Self-Hosted DNS Servers
Solutions like AdGuard Home and Pi-hole run on your own hardware, giving you complete control over your DNS filtering. You can choose which blocklists to use, create custom rules, and view detailed query logs. The trade-off is that you need to maintain the server hardware and software.
OS-Level DNS Filtering
Some operating systems and applications implement DNS filtering locally. AdGuard for Android, for example, can act as a local DNS proxy, filtering DNS queries on the device itself before they leave for the internet.
Encrypted DNS: Protecting Your Queries
Traditional DNS queries are sent in plain text, meaning anyone who can see your network traffic (your ISP, a coffee shop Wi-Fi operator, or a malicious actor) can see every domain you visit. Encrypted DNS protocols solve this problem:
- DNS-over-HTTPS (DoH) - Encrypts DNS queries inside standard HTTPS traffic on port 443
- DNS-over-TLS (DoT) - Encrypts DNS queries using TLS on dedicated port 853
- DNS-over-QUIC (DoQ) - The newest protocol, using QUIC for lower latency and better performance
- DNSCrypt - An older encryption protocol with authentication features
AdGuard supports all four encrypted DNS protocols across its products. Using encrypted DNS ensures that your DNS queries cannot be intercepted, modified, or logged by third parties between your device and the DNS server.
Building Effective Blocklists
The effectiveness of DNS filtering depends entirely on the quality of its blocklists. A good blocklist should block known ad and tracker domains while avoiding false positives that break legitimate websites. AdGuard maintains several curated blocklists specifically designed for DNS filtering:
- AdGuard DNS filter - A composite filter optimized for DNS-level blocking
- AdGuard Tracking Protection - Focuses on tracking and analytics domains
- Malware protection - Blocks known malware distribution domains
Important: Be cautious with aggressive blocklists. Blocking too many domains can break legitimate services. It is better to start with a moderate blocklist and add more aggressive lists only if you are comfortable troubleshooting DNS issues.
The Future of DNS Filtering
DNS filtering continues to evolve as the internet changes. New protocols like DNS-over-QUIC promise better performance, while advances in machine learning are being applied to detect and block newly registered malicious domains in real time. As more of our lives move online and more devices connect to our networks, DNS filtering will become an increasingly important layer of defense in our privacy and security toolkit.
Whether you choose a simple public DNS service or a self-hosted solution like AdGuard Home, implementing DNS filtering is one of the most effective steps you can take to improve your online privacy and security with minimal effort.
