If you're using DNSFilter and encounter a blocked malware threat, you might want to know where the malware was blocked or which devices initiated the blocked DNS requests. Here’s a guide on how to manage such scenarios.

How DNSFilter handles malware

We proactively block malware and malicious domains before they can impact your network. When a threat is detected and blocked, it’s intercepted at the DNS level, meaning the malicious content never reaches your machines. In most cases, there’s no need for further action or malware removal from your devices, as the block prevents the threat from executing.

Identifying devices behind blocked DNS requests

If you’re looking to identify which devices initiated the blocked DNS request, DNSFilter allows you to dig deeper into your network activity. Here's what you can do:

1. Check your DNS Query Log: In the DNSFilter dashboard, you can review logs under Tools to identify which device or IP address made the request that triggered the block.
2. Use Roaming Clients for granular tracking: If you want even more visibility, setting up a Roaming Client can provide detailed insights into which specific devices or users are making requests within your network.

It's worth noting that not all blocked requests come from human actions. Devices often send out DNS requests for system updates, cloud services, or telemetry data, which can sometimes result in a block if a device inadvertently reaches a risky domain.

How do you monitor blocked DNS requests in your environment? Any tips or tools you use to identify devices or manage automated DNS queries?