In this article
Use this guide to strengthen the security of a DNSFilter deployment in environments that require strict operational controls or regulatory compliance.
The recommendations in this article are designed for organizations operating under frameworks such as HIPAA, SOC 2, PCI-DSS, NIST 800-53, and similar security standards.
DNSFilter provides several built-in capabilities that support secure administration, controlled access, and audit visibility. When configured properly, these features help organizations enforce strong authentication, limit administrative access, maintain detailed logs, and ensure consistent endpoint protection.
Authentication
Strong authentication protects access to the DNSFilter dashboard and administrative configuration.
| Tool | Details |
|---|---|
| Multi-Factor Authentication (MFA) | MFA is enabled by default on all DNSFilter accounts. Confirm that MFA remains enabled and that all dashboard users are enrolled. |
| Single Sign-On (SSO) |
SSO integrates DNSFilter authentication with a corporate identity provider such as:
SSO allows organizations to enforce centralized password policies, conditional access rules, and immediate user deprovisioning. Authentication activity can also be monitored from the identity provider’s audit logs. |
Administrative controls
Administrative hardening reduces the risk of unauthorized changes to DNS filtering policies.
| Tool | Details |
|---|---|
| Least privilege access |
Limit dashboard access to only users who require it. Assign the most restrictive role necessary for each user’s responsibilities. Recommended practices:
|
| Universal Allow Lists |
Entries on a Universal Allow List permanently bypass filtering policies. Each entry should be limited to operationally necessary domains. Recommended practices:
|
Logging and compliance
Logging provides visibility into configuration changes and DNS activity.
| Tool | Details |
|---|---|
| Policy Audit Log |
The Policy Audit Log records changes to filtering policies and administrative settings. Recommended review frequency:
|
| Data Export and SIEM integration |
Forward DNS query logs and security events to external SIEM platforms such as:
SIEM integration enables long-term retention, correlation with other security events, and automated alerting. |
✍️ Note: Data Export is an add-on feature and may not be included in all plans. Confirm availability before relying on this capability for compliance requirements.
Roaming Client hardening
Proper configuration of the DNSFilter Roaming Client helps maintain filtering protection across devices.
| Tool | Details |
|---|---|
| Failover mode (Windows) | Maintain the default fail-closed configuration. If the agent cannot reach DNSFilter resolvers, DNS resolution is blocked rather than falling back to an unfiltered resolver. |
| TLS certificate (macOS) | Install the DNSFilter TLS certificate on macOS devices. This prevents certificate warnings when blocked content is accessed and ensures consistent HTTPS blocking behavior. |
| Application allowlisting |
Some endpoint security platforms require DNSFilter processes to be allowlisted. Confirm the following processes are permitted by EDR or application control solutions. After agent updates, confirm that allowlisting rules remain valid. |
WindowsAgent Service | Program Files\DNSFilter Agent\Agent\DNSFilter Agent.exe | Local System Service Manager | Program Files\DNSFilter Agent\Service Manager\DNSFilter Agent Service Manager.exe | Local System Tray Process | Program Files\DNSFilter Agent\Tray Icon\DNSFilter Agent Tray Icon.exe | Current user macOSDNSFilter Agent | /Applications/DNSFilter Agent.app/Contents/MacOS/DNSFilter Agent | Current user Privileged Helper | /Library/PrivilegedHelperTools/com.dnsfilter.agent.macos.helper | Root | |
Feature availability
Certain security features depend on the DNSFilter subscription plan.
| Capability | Availability |
|---|---|
| MFA | Included on all plans (required by default) |
| Role-Based Access Control | Included on all plans |
| Policy Audit Log | Included on all plans |
| SSO Integration | Pro/Enterprise plans |
| Roaming Client | Pro/Enterprise plans |
| Data Export / SIEM | Add-on feature — not included on all plans |
Confirm feature availability with the account representative if necessary.
Compliance alignment
DNSFilter controls support common regulatory security requirements.
Examples include:
| Control | NIST 800-53 | CIS Controls | PCI-DSS | HIPAA |
|---|---|---|---|---|
| MFA | IA-2 | CIS 6 | Req. 8.4 | §164.312(d) |
| SSO / Centralized IdP | IA-2, IA-8 | CIS 6 | Req. 8.2 | §164.312(a) |
| Least Privilege | AC-2, AC-6 | CIS 6 | Req. 7 | §164.312(a) |
| Audit Log Review | AU-6 | CIS 8 | Req. 10.7 | §164.312(b) |
| SIEM / Log Export | AU-9, SI-4 | CIS 8 | Req. 10.5 | §164.312(b) |
| Fail-Closed Failover | SC-7, SI-3 | CIS 9 | Req. 6.4 | §164.312(e) |
| Allow List Controls | SC-7, CM-7 | CIS 9 | Req. 1.3 | §164.312(e) |
Recommended review cadence
| Activity | Frequency |
|---|---|
| Policy audit log review | Quarterly (monthly for high-security) |
| Admin account access review | Quarterly |
| Universal allow list review | Quarterly |
| SIEM data export validation | Monthly |
| Roaming client config audit | After each agent update, or semi-annually |
| SSO / MFA enrollment verification | Quarterly |
Comments
0 comments
Please sign in to leave a comment.