How to Block Known Malware Domains Without Slowing Everyone Down

QUICK ANSWER

A team can block known malware domains safely by enabling only high-confidence threat categories on one pilot endpoint, proving that endpoint uses the protected resolver, and testing complete business transactions before wider rollout. Keep exceptions domain-specific, verify coverage away from the office, and review block outcomes briefly. Do not turn every new or unfamiliar domain into an automatic outage.

Published
November 19, 2025
Words
1,224 words
Reading time
6 min read

Safe malware-domain blocking should be uneventful: the resolver refuses known-dangerous destinations, ordinary work continues, and a legitimate classification error has a narrow recovery path. Start with high-confidence security categories on one endpoint, prove the DNS path, and test complete business transactions before expanding. Low friction comes from disciplined scope and support, not from enabling every available category.

Separate latency from policy friction

“Slowing everyone down” usually combines two different problems. Resolver latency is the time needed to answer a DNS query. Policy friction begins when a required domain is blocked, an application retries, or a person cannot finish a task. Measure them separately. A fast DNS refusal can still create a long login spinner when the blocked hostname serves identity, updates, an API, telemetry, or content delivery.

Diagnose speed before changing policy
SymptomLikely questionFirst check
Most sites start slowlyIs resolver response time high?Compare lookup timing on normal team networks
One app spins or partially loadsIs a dependency blocked?Check the endpoint and short event window
Only remote devices failDo they use the intended DNS path?Verify resolver status away from the office
A known block is inconsistentIs cache or another resolver involved?Retry after cache expiry and inspect DNS settings

NCSC describes protective DNS as a resolver applying policy to domains and returned addresses, with common coverage for malware distribution, command and control, and phishing.2 Cloudflare similarly explains that a DNS block prevents the domain from resolving before content is fetched.3 This early decision is valuable, but it cannot inspect a downloaded file or determine whether content on an allowed domain is malicious.

Build a minimum safe policy

Begin with provider-maintained, high-confidence categories for malware, phishing, scams, botnet callbacks, and command-and-control infrastructure. Do not add entertainment, advertising, social, gambling, newly observed, uncategorized, anonymizer, or productivity categories to the same first change. Some may suit a later risk decision, but they expand both the explanation and the false-positive surface.

Across providers, the practical pattern is consistent. Cloudflare separates security categories from content categories and places endpoint verification before policy work.45 Control D offers several malware strictness modes.6 Zscaler describes broader controls such as newly registered domains but cautions that blocking broad unknown categories may have wide impact.7 The shared lesson is not that one setting wins; it is that strictness needs a business tolerance and test evidence.

  1. Write the exact outcome: known malicious domains are refused on work endpoints while essential work continues.
  2. Inventory endpoints and their normal DNS paths. Select a cooperative owner on a non-critical laptop for the pilot.
  3. Connect the pilot without blocking. Confirm the resolver receives its queries and record ordinary lookup behavior.
  4. Enable the narrow security policy. Use only a documented safe test destination to verify the block response.
  5. Run a transaction checklist covering authentication, payments, calls, code, customer support, file sharing, updates, printing, and backups.
  6. Repeat on home Wi-Fi or another normal remote network. Review Secure DNS, VPN, private relay, and manual resolver settings if protection disappears.
  7. Expand in small groups. Keep a rollback method and a named person who can diagnose a legitimate block.
  8. Review after five working days, then monthly. Remove stale exceptions instead of accumulating permanent bypasses.

Test transactions, not homepages

Opening a vendor homepage proves almost nothing. A complete test signs in, starts the main task, reaches an API, uploads or downloads a file, receives a notification, and signs out. Software updates and identity providers deserve special attention because they often use hostnames different from the visible product domain. Run the checklist from the affected endpoint after policy activation, not from an administrator laptop with another DNS path.

  • Expected block: the provider’s harmless test domain receives the documented blocked response.
  • Expected allow: each critical workflow reaches a meaningful completion state.
  • Expected roaming result: the endpoint remains protected off the office network.
  • Expected support result: the owner can identify the matching rule without browsing unrelated activity.
  • Expected recovery: a narrow correction restores work without disabling all malware protection.

When a legitimate service fails, note the device, time, action, and expected result. Confirm the blocked hostname belongs to the service through vendor documentation or another trustworthy source. Allow only the required domain at the narrowest relevant scope, add the reason and owner, and set a review date. Avoid wildcarding a parent domain when one subdomain is sufficient. If an enforced security rule caused the block, investigate classification rather than weakening it locally.

DNS is also the wrong layer for some desired exceptions. It cannot allow one URL path while blocking another on the same domain, inspect a document, scan a download, distinguish two accounts on one service, or see page contents, search terms, in-app chats, voice audio, and full browser history. Cloudflare’s policy overview distinguishes DNS domain controls from HTTP inspection for full URLs and files.3 Use the control that can observe the boundary you need.

Treat blocks as operational signals

Routine success is quiet: endpoints remain covered, essential work completes, and a small number of high-confidence risks are refused. Review aggregate allowed, blocked, and redirected counts first. A sudden increase may indicate a new application, a repeated background retry, a classification change, or suspicious activity. It does not by itself reveal a person’s intent. Investigate the smallest relevant slice before drawing a conclusion.

For a named incident, retained activity can establish which endpoint requested a domain, when it happened, and which policy outcome applied. In Veilty that history belongs to a Tenant and is accessible only through assigned Tenant roles. Saved activity and summaries are end-to-end encrypted, while live requests must be processed by the resolver. Keep detailed access purpose-bound and time-limited rather than turning DNS into general workforce observation.

If a malware-domain block occurs, ask whether the endpoint merely attempted a background connection or whether a person opened a message, downloaded a file, entered credentials, or approved a request. Preserve useful evidence, isolate or scan the device when appropriate, and follow the team incident process. DNS blocking can interrupt command-and-control or a dangerous click, but it cannot certify that an endpoint is clean.

Malware-domain policy questions

Will DNS filtering make ordinary browsing slower?

A well-operated resolver should answer ordinary lookups quickly, but performance must be measured from the team’s real networks. More often, perceived slowness is an application repeatedly waiting on a blocked dependency rather than slow DNS resolution itself.

Should a team block every newly registered domain?

Not automatically. New-domain signals can identify risk, but legitimate launches and services also use new domains. Pilot the category, measure false positives, and use stronger endpoint or web controls when the team needs finer context.

Can an allow rule override Veilty protection?

A Tenant resource may override a baseline Tenant policy when a legitimate workflow needs a narrow exception. It cannot override an enforced Tenant policy, so reserve enforced rules for protections that must not be weakened locally.

Apply the policy in Veilty

In one Veilty Tenant, apply reusable baseline and enforced Tenant policies for high-confidence security risks, attach one endpoint, and complete the transaction checklist on two networks. Use Tenant-scoped resources for a narrow baseline exception when necessary; enforced policy remains decisive. Then add devices in small groups. After a week, review blocked outcomes, remove unexplained exceptions, and confirm every remaining exception has an owner and date.1

References

  1. DNS filtering for teams — Veilty
  2. Protective DNS for the private sector — NCSC
  3. Traffic policies — Cloudflare One documentation
  4. Domain categories — Cloudflare One documentation
  5. Set up DNS filtering — Cloudflare One documentation
  6. Malware filter modes — Control D documentation
  7. Best practices for DNS control rules — Zscaler

Related articles