DNS Filtering vs. Secure Web Gateway: Which Do You Actually Need?
DNS filtering and Secure Web Gateways both block web-based threats, but they operate at different layers of network traffic and provide fundamentally different coverage. Understanding the distinction matters because organizations frequently deploy one when they need the other — or deploy both without understanding what each contributes.
DNS filtering operates at the domain resolution layer: it blocks resolution of known-malicious domains before a connection is established. Secure Web Gateways operate at the HTTP/HTTPS application layer: they inspect the content of web requests and responses, enable TLS inspection of encrypted traffic, apply URL categorization at the full URL level (not just domain), and provide DLP and cloud application control capabilities that DNS filtering cannot deliver.
This guide is for security architects and network security leads deciding which control to deploy first and when to add the other.
What DNS Filtering Catches — and What It Misses
DNS filtering intercepts DNS queries from endpoints and resolvers, compares the queried domain against threat intelligence feeds, and returns NXDOMAIN or a sinkhole IP for known-malicious domains instead of the real resolution. This blocks: command-and-control beaconing to known malicious domains (91% of malware uses DNS for C2, making this a high-value interception point), phishing domains in known-bad domain feeds, newly registered domains used in spam campaigns, and domains associated with known malware families, cryptomining, and botnet infrastructure.
DNS filtering's coverage gaps are significant and predictable. It operates at the domain level, not the URL level — a compromised legitimate domain (like a hacked WordPress site hosting a phishing page) will not be blocked because the domain itself is not malicious. It cannot inspect the content of encrypted HTTPS connections — whether the traffic over a domain is malware delivery or legitimate file download is invisible to DNS. It cannot enforce DLP policies — it has no visibility into what data is being uploaded or downloaded. It cannot distinguish between legitimate and malicious use of CDN and cloud storage services that share domains (Dropbox.com, OneDrive.com, GitHub.com) — blocking these domains breaks legitimate productivity.
DNS-over-HTTPS (DoH) is a growing evasion vector. When browsers send DNS queries directly to DoH resolvers (Cloudflare 1.1.1.1, Google 8.8.8.8) rather than using the corporate resolver, DNS filtering is bypassed entirely. DNS filtering deployments must enforce DNS resolver use via firewall rules blocking port 853 (DoT) and HTTPS to known DoH resolver IPs, and via group policy settings that prevent browser DoH configuration.
What a Secure Web Gateway Adds
A Secure Web Gateway sits inline on web traffic (either as a proxy or via network interception) and provides visibility and control that DNS filtering cannot reach.
TLS inspection is the SWG's most important capability: it performs man-in-the-middle decryption of HTTPS traffic, inspects the decrypted content for malware, phishing, and DLP violations, then re-encrypts and forwards compliant traffic. This is the only way to inspect what is inside HTTPS connections — 72% of enterprise web traffic is HTTPS, meaning a DNS-only deployment is blind to almost three-quarters of web activity. TLS inspection requires deploying a trusted CA certificate to endpoints for the SWG's decryption certificate to be trusted — this is a deployment requirement that DNS filtering does not have.
URL categorization at the full URL level (not just domain) enables blocking specific paths on legitimate domains: blocking dropbox.com/upload while permitting dropbox.com/download, or blocking specific URLs within a legitimate cloud storage service rather than blocking the entire domain. This granularity is impossible at the DNS layer.
Cloud application control (CASB-lite functionality) in SWG platforms distinguishes between managed and unmanaged instances of cloud apps: permitting access to the corporate Google Workspace tenant while blocking access to personal Gmail for data upload. This prevents data exfiltration via personal cloud accounts while preserving productivity.
Inline DLP inspects the content of uploads for patterns matching sensitive data — credit card numbers, Social Security numbers, proprietary document fingerprints — and blocks or logs exfiltration attempts. No DNS filtering solution provides this capability.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Vendor Landscape: Cisco Umbrella, Cloudflare, Zscaler, and Palo Alto
Four vendors dominate the DNS filtering and SWG market, each with different architecture, pricing models, and strengths.
Cisco Umbrella is the most widely deployed DNS security platform in enterprise environments, with 30-plus years of DNS data underpinning its threat intelligence. Umbrella's Predictive Intelligence uses machine learning to identify malicious domains before they appear in threat feeds — blocking newly registered domains used in attack campaigns before they become widely known. Umbrella's SWG module adds TLS inspection and URL categorization for organizations that need full SWG capability on the Umbrella platform. The Cisco Security Cloud integration provides joint deployment with Cisco Secure Endpoint, ISE, and Secure Firewall.
Cloudflare Gateway is the DNS filtering and SWG component of Cloudflare One (their SASE platform). Its primary differentiators are performance (Cloudflare operates the world's largest anycast network, making DNS resolution and proxy throughput faster than most alternatives) and price accessibility (the Teams tier is more affordable than Cisco Umbrella for mid-market organizations). Gateway's integration with Cloudflare Access (ZTNA) and Cloudflare's global network makes it the strongest option for organizations deploying Cloudflare as their primary network security vendor.
Zscaler Internet Access (ZIA) is the enterprise-grade cloud SWG and is typically the strongest choice when full SWG capability — TLS inspection, DLP, CASB, cloud app control — is required at large scale. ZIA is designed for enterprises with complex policy requirements and integrates with Zscaler Private Access (ZPA) for a complete SASE deployment. It is priced at the enterprise tier and is not typically cost-competitive for organizations under 1,000 users.
Palo Alto Prisma Access includes DNS Security (powered by Advanced Threat Prevention) as a module within its SASE platform. For organizations standardized on Palo Alto, DNS Security integrates natively with Cortex XDR and Panorama for unified policy management. Palo Alto's ML-based DNS threat detection identifies DNS tunneling (data exfiltration via DNS query encoding) more effectively than feed-based approaches.
Deployment Considerations and DoH Bypass Prevention
DNS filtering deployment requires redirecting all client DNS queries through the filtering resolver. For corporate-managed endpoints, this is done via DHCP configuration (setting the DNS resolver IP to the filtering platform's resolver) combined with group policy settings to prevent manual DNS reconfiguration. For remote endpoints not on the corporate network, a lightweight agent (Cisco Umbrella Roaming Client, Cloudflare WARP) enforces DNS resolver routing regardless of network location.
DNS-over-HTTPS bypass prevention is a deployment requirement that many organizations miss. Modern browsers (Chrome, Firefox, Edge) support DoH and can be configured to use DoH resolvers directly, bypassing corporate DNS filtering entirely. Enforce resolver control by: (1) blocking outbound HTTPS to known DoH resolver IP addresses at the firewall (Cloudflare 1.1.1.1, Google 8.8.8.8/8.8.4.4, Quad9 9.9.9.9); (2) setting browser enterprise policy to disable DoH or force use of the corporate DNS-over-HTTPS endpoint; and (3) blocking DNS-over-TLS (port 853) at the firewall.
SWG TLS inspection deployment requires planning for certificate trust and inspection exclusions. Deploy your SWG's CA certificate to all managed endpoints before enabling TLS inspection — users will see certificate errors on all HTTPS sites until the CA is trusted. Establish inspection exclusions for categories where TLS inspection creates legal or operational issues: financial and banking sites (compliance concerns in some jurisdictions), healthcare portals (HIPAA considerations), and software update services (TLS inspection can break pinned certificate validation in update clients).
Decision Framework: When to Deploy Which
DNS filtering alone is appropriate for: organizations with limited budget and headcount that need a meaningful first layer of web-based threat protection; networks where TLS inspection infrastructure is not feasible (OT/ICS environments, IoT networks); and as a supplementary control layered beneath a full SWG (DNS filtering stops threats before they reach the SWG, reducing TLS inspection load and SWG processing costs).
SWG without DNS filtering is uncommon because DNS filtering is lower cost, lower latency, and provides C2 beaconing detection that SWG TLS inspection does not efficiently deliver. Most SWG deployments layer DNS filtering on top of SWG functionality.
Both DNS filtering and SWG are appropriate for: organizations with DLP requirements (SWG is required for content inspection); organizations with cloud application governance requirements (CASB functionality requires SWG); organizations where insider threat or data exfiltration is a primary concern (DNS filtering cannot detect exfiltration over HTTPS); and organizations with compliance requirements for demonstrating web content inspection capability.
For mid-market organizations choosing a first web security deployment: DNS filtering via Cloudflare Gateway or Cisco Umbrella provides the fastest time-to-value and lowest deployment complexity. Add SWG capability when DLP, cloud app control, or compliance requirements create a specific need for content-level inspection.
The bottom line
DNS filtering is the minimum viable web security control — it blocks C2 beaconing, known-malicious domains, and phishing infrastructure at low cost and low complexity. Every organization should have it. Secure web gateways provide the content-level visibility that DNS filtering cannot: TLS inspection, URL-level categorization, DLP, and cloud application control. Organizations with DLP requirements, insider threat concerns, or compliance obligations for content inspection need a SWG, not just DNS filtering. Most enterprises end up with both — DNS filtering as a low-latency first-pass control and SWG for content inspection of encrypted traffic that DNS filtering cannot see.
Frequently asked questions
Can DNS filtering block encrypted C2 traffic?
DNS filtering blocks the domain resolution that establishes the connection to C2 infrastructure, regardless of whether the subsequent C2 traffic is encrypted. If an attacker's C2 server uses HTTPS on a known-malicious domain, DNS filtering prevents the endpoint from resolving that domain — no connection is established, and no encrypted C2 traffic occurs. What DNS filtering cannot block is C2 traffic to legitimate domains (like GitHub, Dropbox, or Slack) used for C2 through abuse of trusted platforms — a technique called living-off-trusted-sites. This evasion requires SWG behavioral analysis to detect, not just domain blocking.
Does TLS inspection violate user privacy?
TLS inspection decrypts HTTPS traffic flowing through the SWG, meaning the SWG operator can read the content of HTTPS sessions. In enterprise environments, this is generally permissible when employees are notified (typically through an acceptable use policy), devices are organization-managed, and the inspection is limited to identifying security threats rather than used for surveillance. Most SWG platforms support inspection exclusion policies for personal email, banking, and healthcare sites where content sensitivity is highest. Legal requirements for TLS inspection vary by jurisdiction — consult legal counsel before enabling TLS inspection, particularly in EU jurisdictions where GDPR implications apply to employee monitoring.
What is DNS tunneling and how do DNS filtering platforms detect it?
DNS tunneling is a data exfiltration technique that encodes data within DNS queries and responses, exploiting the fact that DNS traffic is rarely blocked or inspected at egress. An attacker controls a domain and a server that acts as the DNS resolver for that domain. The compromised endpoint sends data encoded in DNS query hostnames (e.g., exfiltrated-data-chunk.attacker-domain.com) — the DNS query reaches the attacker's resolver, which decodes the payload. Detection requires analyzing DNS query patterns: unusually long subdomains, high query frequency to a single domain, entropy analysis of subdomain strings (encoded data has higher character entropy than legitimate hostnames), and TXT record abuse for the response channel.
How does DNS filtering handle split-horizon DNS for internal resources?
Split-horizon DNS allows different DNS responses for the same hostname depending on whether the query originates from inside or outside the corporate network — returning private IP addresses for internal queries and public IP addresses for external queries. DNS filtering platforms handle this through selective forwarding: queries for internal domains are forwarded to internal resolvers without filtering applied; queries for external domains pass through filtering. Configure your DNS filtering platform with bypass lists for internal domains and private IP ranges. Cisco Umbrella's Intelligent Proxy and Cloudflare Gateway both support selective forwarding configurations that preserve split-horizon DNS functionality.
Is Cloudflare Gateway suitable for enterprise deployments?
Cloudflare Gateway is suitable for enterprise deployments, particularly for organizations that are already using Cloudflare for CDN, DDoS protection, or Zero Trust (Cloudflare Access). Its performance advantage from Cloudflare's global anycast network is measurable — DNS resolution latency is consistently among the lowest available. Enterprise-specific features (advanced DLP, CASB integration, identity-aware policies) are available on the Enterprise plan. The primary enterprise considerations are support model (Cloudflare's support quality at enterprise tier is adequate but not as white-glove as Cisco Umbrella's enterprise support) and integration depth with non-Cloudflare infrastructure.
What is the difference between a DNS firewall and a secure web gateway?
A DNS firewall (also called protective DNS or DNS security) filters traffic at the DNS query layer — it blocks resolution of malicious domains before network connections are established. It has no visibility into the content of web traffic. A Secure Web Gateway proxies web traffic inline and inspects HTTP and HTTPS content — it can perform TLS inspection, URL categorization at the path level, content scanning for malware and DLP, and cloud application control. DNS firewalls are faster and lower cost; SWGs provide deeper inspection. Both are often marketed as 'DNS filtering' or 'web filtering' by vendors, which creates confusion — verify the technical architecture (DNS-layer vs. proxy-based) when evaluating products.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.