Task 10: Set Up DNS-Based Security on All Devices

DNS-based security is one of the simplest yet most effective ways to block malicious websites before they can ever interact with your systems. By filtering internet traffic at the DNS (Domain Name System) level, you can prevent access to known phishing sites, malware domains, botnet command-and-control servers, and other harmful destinations.

This step provides excellent protection on every device in the network, greatly enhancing your small business’ security posture.

While DNS filtering is a common enterprise security control, small businesses often overlook it because they assume it’s complicated or expensive. The good news? It doesn’t have to be. There are multiple ways to implement DNS-based security that fit different needs and budgets.

In this Task, we’ll cover the following three options you can choose from:

Option 1: Paid DNS Filtering Services (Best for Businesses with In-House IT Resources)
Option 2: Free Semi-DIY Solution with Quad9 (Good for Tech Savy, Budget-Conscious Businesses)
Option 3: Security Essentials™ Service Bundle (Best for Small Businesses That Want Full Protection Without the Hassle)

Important Note: Business networks that use Microsoft Active Directory or Microsoft Entra ID (Azure Active Directory) warrant special attention regarding how they deploy a DNS filtering service. This is because Active Directory uses DNS internally for many functions. The key is to forward DNS requests from the Domain Controllers to the filtering service, rather than renaming the primary DNS server on individual workstations. Our favorite option in these cases is DNSFilter, which has an Active Directory Sync Tool that works well and has a roaming feature, ensuring that your company assets are always protected, whether they connect to the internal company network or any other network. However, as with all things Active Directory, we don’t recommend managing this as a ‘DIY’ option – you’re probably going to need some support from knowledgeable internal or external IT experts.

Option 1: Paid DNS Filtering Services (Best for Businesses with In-House IT Resources)

If your business already has in-house IT support or a trusted MSP, using a dedicated DNS filtering service is a robust solution. Services like DNSFilter, Zorus or others provide powerful web filtering capabilities with detailed reporting, policy control, and excellent protection against malicious domains.

These products typically cost a few dollars per endpoint to set up, and require a small or modest increase in IT workload.

Many premium antivirus packages (such as Norton, McAfee, Bitdefender, Avast, and others) include DNS filtering as an add-on feature. However, in our experience, these “bundled” solutions are often overpriced and consume excessive computing resources, making systems sluggish—especially on older hardware. You’ll usually get better value and flexibility by working with a dedicated DNS filtering provider or a cybersecurity-focused service bundle.

Option 2: Free Semi-DIY Solution with Quad9 (Best for Budget-Conscious Businesses)

If you’re looking for a free and quick way to improve your DNS security, Quad9 is an excellent starting point. By changing your devices’ DNS settings to use Quad9’s secure DNS servers (9.9.9.9), you’ll automatically block access to known malicious domains based on their threat intelligence feeds.

However, it’s important to note that:

  • You’ll need to manually configure DNS settings on each device.
  • You will have issues. We love Quad9 for the value it provides to the community worldwide! However we’ve extensively tested it; encourage our techs to use it on their personal devices, and we experience frequent issues. Most commonly, we will have no internet connectivity until the issue is resolved. For this reason, we don’t recommend it as a business-grade solution.
    • Many networks (like public Wi-Fi at hotels or airports) may cause connectivity issues, requiring you to temporarily disable Quad9 DNS or adjust settings.
  • You won’t get centralized reporting or policy enforcement.

Despite the issues, Quad9 is a great starter solution for micro-businesses or solopreneurs who are technically comfortable managing their own devices.

Option 3: Security Essentials™ Service Bundle (Best for Small Businesses That Want Full Protection Without the Hassle)

If you want DNS-based security without adding more IT workload, we highly recommend our Security Essentials™ service bundle. For $25 per endpoint per month, you get:

  • Enterprise-grade DNS filtering pre-configured and monitored.
  • Managed Detection and Response (MDR)—a 24/7 Security Operations Center watching over your systems.
  • Vulnerability, patch, and update management to ensure all devices stay secure and up-to-date.
  • No resource-hogging software—we optimize for performance and efficiency.

This solution is ideal for small businesses that need strong cybersecurity but don’t want to manage multiple products or get bogged down in technical details.

Take Action

  1. Decide which approach works best for your business.
  2. If you choose Quad9, we’ll provide a step-by-step guide in the next article on how to set it up on Windows and macOS devices.
  3. If you’re interested in a premium DNS filtering service or Security Essentials™, reach out to us and we’ll help you implement the right solution.