How to Choose a Baseline DNS Catalog for a Small Team

QUICK ANSWER

A small-team baseline DNS catalog should start with broadly applicable, evidence-backed protection against known malicious domains, then add only categories the team has explicitly agreed to apply. Keep optional productivity or acceptable-use choices separate, test representative workflows, assign an exception owner, and review changes before applying the catalog across a Tenant.

Published
February 2, 2026
Words
1,153 words
Reading time
6 min read

A small-team baseline DNS catalog should start with broadly applicable, evidence-backed protection against known malicious domains, then add only categories the team has explicitly agreed to apply. Keep optional productivity or acceptable-use choices separate, test representative workflows, assign an exception owner, and review changes before applying the catalog across a Tenant.

Start with the risk everyone shares

A useful baseline addresses risks that are relevant to nearly every role without turning one person’s browsing preferences into team policy. Begin with reputable threat-focused inputs for domains associated with malware delivery, phishing, command-and-control activity, and other clearly malicious infrastructure. The NCSC describes protective DNS as a resolver that prevents access to domains known to be malicious, while noting that providers build deny lists from multiple intelligence sources.2 That is a defensible security purpose; it is not a promise that every classification will always be correct.

Write the purpose before choosing the catalog: for example, “reduce connections to known malicious infrastructure on team-managed resources.” Then name what the baseline does not decide. It should not silently settle questions about social networks, streaming, advertising, gambling, generative tools, or other legitimate-but-contested categories. Those choices have different evidence, consequences, and owners. Mixing them into one list makes a security exception look like an acceptable-use dispute and makes later review harder.

Separate protection from preference

A practical split for a small-team catalog decision
Catalog layerTypical purposeDecision standard
Threat protectionReduce contact with known malicious domainsShared security need and credible intelligence
Privacy or nuisanceReduce selected tracking or advertising domainsDocumented team preference and breakage tolerance
Acceptable useLimit categories during workExplicit policy, clear authority, and proportionate scope
Local exceptionsRestore a verified required dependencyNamed owner, narrow domain and resource, review condition

This separation gives each layer a different change tolerance. A high-confidence malicious-domain rule may justify mandatory treatment. A nuisance category that breaks a design tool may be better as a baseline that a justified resource-specific choice can refine. An acceptable-use category may belong only to a defined group, not every device attached to the account. The catalog is reusable input; scope and precedence still belong to policy.

DNS is a query-response protocol operating on names and DNS answers.3 It cannot see a page path, search phrase, downloaded file, in-app conversation, voice call, or full browser history. A domain may host both required and unwanted content, and DNS cannot distinguish pages under the same hostname. If the team’s requirement depends on content, user identity, file type, application state, or time inside an app, use the appropriate browser, endpoint, identity, or application control instead.

Score catalog inputs before adoption

  1. Define the outcome and the resources in scope before comparing category counts.
  2. Check who maintains each source, what it classifies, how quickly it changes, and how corrections are handled.
  3. Separate high-confidence threat intelligence from subjective, privacy, and acceptable-use categories.
  4. List critical identity, communication, finance, update, support, and deployment workflows that must survive the pilot.
  5. Name the policy owner, technical operator, exception owner, review date, and rollback trigger.
  6. Reject any layer whose purpose, provenance, or operational owner cannot be explained.

Do not choose by list size alone. A larger catalog may contain stale, duplicated, parked, shared-hosting, or low-confidence entries. A smaller, maintained source with a clear purpose and correction path can be more useful. Ask how the provider treats newly registered domains, compromised legitimate sites, shared infrastructure, and delisting. The NCSC advises organizations to examine administration, capability, deployment, and provider assurances when selecting protective DNS, which is a better frame than treating the longest list as the strongest one.2

Pilot real work, not just test domains

Test the proposed baseline on a small, representative set: an ordinary managed device, a resource with critical dependencies, and any role with unusual developer, finance, support, or remote-work needs. Confirm the intended DNS path first because browser secure DNS, a VPN, mobile data, or another resolver can bypass the policy under test. Use only harmless provider test domains for expected blocks; never visit live malicious infrastructure.

A successful block proves only that one lookup received the expected policy outcome. It does not prove broad coverage, and a successful lookup does not prove an application can sign in or complete its work. Run each named workflow end to end, compare with an unchanged resource, and watch for clustered failures around identity providers, content delivery networks, software updates, payment services, and support tools. Widen only after both the expected block and required work succeed.

Give exceptions a small, durable process

For each exception, record the exact domain, affected resource, required task, evidence, approver, implementation owner, review condition, and rollback. Prefer the smallest domain and resource scope that restores the task. A broad team-wide allow rule should require stronger evidence than a narrow exception for one resource. If a required service conflicts with mandatory protection, review that mandatory rule with its policy owner rather than hiding the conflict beneath a local allowance.

Review the catalog on a calendar and after meaningful change: a new critical vendor, team reorganization, catalog-source change, recurring false positives, or an owner’s departure. Remove entries and exceptions that no longer have a purpose, but retest before deletion when the workflow is rare. The result should be a short catalog map that another administrator can explain, not a pile of inherited switches.

Baseline catalog questions

Should a small team enable every available DNS category?

No. More categories do not automatically mean better protection. Start with categories tied to a stated security or workplace need, test them against representative workflows, and leave subjective or high-interruption categories out until the team deliberately approves them.

Is a catalog enough to protect a small team?

No. A DNS catalog can influence lookups for classified domains, but it cannot inspect files, page content, URL paths, messages, or application behavior. Keep endpoint protection, updates, identity controls, backups, email defenses, and user reporting in the wider security plan.

How often should a baseline DNS catalog be reviewed?

Review it on a regular calendar and after a material provider, team, or workflow change. Also review when false positives cluster, an owner leaves, a critical service changes domains, or a category no longer has a clear purpose.

Carry the decision into a Veilty Tenant

In Veilty, keep shared team protection in reusable baseline and enforced policies assigned to the relevant Tenant. Enforced policy applies first and cannot be overridden; a Tenant resource may override its baseline for a justified local need. Use assigned rules or filter sets for the catalog choices the policy needs. Invitations are account-scoped and grant no Tenant access by themselves; after acceptance, assigned owner, admin, member, or viewer roles govern Tenant access. Retained DNS activity belongs to its Tenant, is end-to-end encrypted with user-held keys, and is available only through permitted roles, while the resolver still processes live DNS requests. Start with one representative resource and one written review date.1

References

  1. DNS filtering for teams - Veilty
  2. Protective DNS for the private sector - NCSC
  3. RFC 9499: DNS Terminology - RFC Editor

Related articles