Why Malicious-Domain Blocking Is Not the Same as Antivirus

QUICK ANSWER

No. Protective DNS can stop lookups to recognized malicious domains before a connection, but antivirus and endpoint security inspect activity on the device, detect malicious files or behavior, and support containment or cleanup. Use DNS blocking as an early network layer alongside maintained endpoint protection, software updates, secure accounts, backups, and user training.

Published
May 5, 2026
Words
1,017 words
Reading time
5 min read

No. Protective DNS can stop lookups to recognized malicious domains before a connection, but antivirus and endpoint security inspect activity on the device, detect malicious files or behavior, and support containment or cleanup. Use DNS blocking as an early network layer alongside maintained endpoint protection, software updates, secure accounts, backups, and user training.

The useful outcome is layered security clarity. Write down which control can observe each stage of an attack, keep both layers maintained, and test their independent outcomes. Removing endpoint protection because a resolver blocks dangerous domains leaves files, processes, removable media, direct connections, and previously delivered payloads without the control designed to examine them.

Give each security layer one job

Protective DNS evaluates a requested domain against policy at the recursive resolver. The NCSC describes its service as preventing access to known malicious domains by changing the DNS response, and notes that it can also stop malware from reaching recognized command-and-control services.1 Its strength is an early, broadly reusable destination decision.

Endpoint security works closer to the code and operating system. Depending on the product and platform, it may inspect downloaded files, running processes, memory, scripts, behavior, persistence, or device state; quarantine an artifact; isolate a host; and provide investigation evidence. NIST guidance recommends defense in depth because different detectors are effective in different situations and expecting antivirus alone to handle every incident is unrealistic.2

Compare what each layer can observe

Different controls, different evidence
QuestionProtective DNSEndpoint protection
Can it deny a known domain lookup?Yes, when the request reaches its resolverSometimes, through separate web or network features
Can it inspect a downloaded file?NoYes, when supported and enabled
Can it see a malicious process?NoPotentially, from endpoint behavior
Can it block command-and-control?Yes, for recognized domain lookups on its pathPotentially, using endpoint and network signals
Can it remove an infection?NoMay quarantine or support remediation

Overlap is beneficial when it creates independent chances to interrupt an attack. A phishing domain may be blocked before it opens; if it is new or the device bypasses the resolver, browser and endpoint controls still have a chance to respond. If a malicious file arrived through email, removable media, a trusted-but-compromised service, or an earlier connection, endpoint protection remains relevant even though no fresh malicious-domain lookup occurs.

See where domain blocking ends

DNS filtering can act on domain lookups and policy outcomes. It cannot read page contents, full URL paths, search terms, in-app chats, voice audio, or full browser history. It does not inspect file hashes, process trees, memory, macros, or local privilege changes. A safe-looking domain can host compromised content, while a malicious program can communicate through a direct IP address or an allowed service.

A resolver decision also depends on path coverage and timely intelligence. Browsers, VPNs, mobile links, caches, and application-specific DNS can change which resolver receives a request. Endpoint tools have their own coverage limits: an unsupported device, disabled agent, stale engine, excluded folder, or missed behavior weakens that layer. Inventory both boundaries instead of assuming one product label guarantees them.

Build a small layered check

  1. List representative devices, operating systems, browsers, VPNs, and networks; record which endpoint and DNS controls cover each one.
  2. Confirm endpoint protection is supported, enabled, current, reporting, and governed by an accountable owner.
  3. Confirm fresh lookups reach the intended protective resolver in every important context.
  4. Use only vendor-provided harmless test artifacts and provider-owned DNS test domains; never retrieve live malware.
  5. Verify the DNS block and endpoint detection separately so one success cannot conceal a missing layer.
  6. Review failures, exceptions, update health, and aggregate policy outcomes on a schedule, then rehearse escalation for a real alert.

For a home, the review may cover a few laptops and phones. For a small organization, include servers, managed workstations, mobile devices, contractors, and recovery responsibilities. The principle remains the same: assign an owner, test a harmless known outcome, record gaps, and fix the control that owns each gap rather than stretching DNS policy into endpoint detection.

Avoid layer substitution

  • Do not call a DNS block proof that a payload was detected or removed.
  • Do not disable antivirus exclusions or endpoint agents to simplify troubleshooting without an approved, bounded alternative.
  • Do not treat one successful DNS test as coverage for every browser, VPN, application, and network.
  • Do not declare an infection from a DNS row alone; correlate endpoint, identity, and user evidence.
  • Do not collect broad browsing detail to compensate for DNS blind spots; use the control that can observe the required signal.

Answers about DNS and antivirus

Will antivirus catch every threat that protective DNS misses?

No. Endpoint tools also have detection gaps and depend on configuration, updates, supported systems, and response. Layering reduces reliance on any single detection point; it does not make prevention perfect.

Is protective DNS useful when antivirus is already installed?

Yes. It can stop a recognized destination before content reaches the device and may interrupt malware communication. That earlier decision complements rather than duplicates file, process, memory, behavior, and remediation capabilities on the endpoint.

Can DNS logs prove that a device is infected?

No. A suspicious lookup is a lead, not a diagnosis. It may come from an embedded resource, a mistyped link, a scanner, or cached application behavior. Correlate it with endpoint and identity evidence before declaring an incident.

Review one Veilty security boundary

In Veilty, select one resource in its household Space or team Tenant, confirm its profile and resolver path, and test one provider-owned malicious-domain outcome. Keep reusable baseline policy distinct from enforced policy that a resource cannot weaken. Record endpoint protection as a separate control with its own owner and evidence; a Veilty DNS result should never be used as proof of file inspection or remediation.

Begin with aggregate DNS outcomes. Retained activity remains scoped to its Space or Tenant, end-to-end encrypted with user-held keys, and available only through permitted roles, while the resolver processes live requests to answer and apply policy. Open a short detail window only to investigate a named test, then correlate any concern with endpoint evidence and close the window.

References

  1. Protective Domain Name Service - NCSC
  2. NIST SP 800-83 Rev. 1: Guide to Malware Incident Prevention and Handling
  3. NIST SP 800-81 Rev. 3: Secure DNS Deployment Guide

Related articles