Skip to main content

Get started with DNS Security

DNS Security lets you control which websites and services managed devices can access.

How filtering works

Each policy evaluates queries through three layers in priority order. The first match determines whether the domain is allowed or blocked. If no layer matches, the query is allowed.

Priority

Layer

What it does

1 (highest)

Custom Rules

Admin-defined allow or block overrides for specific domains

2

Services

Block specific apps by name (e.g., TikTok, YouTube)

3

Filters

Category-based blocklists (e.g., Malware, Adult Content)

Domains that do not match any rule, service, or filter are resolved normally.

Before you begin

Admin role required. Only admins can create and assign policies.

DNS resolver must be configured on devices. Policies do not filter traffic until managed devices are pointed to the Trio DNS resolver. Find the resolver IPs in DNS Security > Settings > General, then push them to devices via an MDM network profile or DHCP configuration.

If the resolver is not yet deployed, the Deployment Posture section on the Overview page will show the DNS profile as not applied.

Navigate to DNS Security

In the main sidebar, go to Security > DNS Security. The section opens on the Overview page.

The secondary sidebar gives you access to:

  • Overview — summary stats, policy status, and recent blocked events

  • Policies — full policy list with management actions

  • Event Logs — all DNS query events across all policies

  • Settings — resolver configuration, block page, log retention, SIEM, safe search

Create a policy

Click Create Policy from the Overview or the Policies page. The wizard opens full-screen.

A Policy Summary panel stays visible on the right side throughout the wizard, updating as you make changes. Review it at any point to see your current configuration before you create the policy.

Step 1 — Identity & Block Response

Policy details

  • Policy name — required, up to 80 characters. Example: Corporate Security Baseline

  • Description — optional. Useful for documenting who this policy is for and what it covers.

Block Response Method

This setting controls how the DNS resolver responds to the device when a domain is blocked.

  • NXDOMAIN — the domain appears not to exist. No visible error page. Recommended for malware, phishing, and tracker blocks.

  • Sinkhole — the device is directed to your block page. The user sees a message explaining the block. Recommended for productivity and content filters where visibility matters.

  • NULL IP — returns 0.0.0.0. Not recommended.

Note: If you select Sinkhole, your block page must be configured in Settings > Block Page before assigning the policy. If no block page is set up, devices may receive an empty response instead of the block page.

This setting applies globally to all blocks enforced by this policy. You can override it per filter type later in the policy's Options tab.

Click Next to continue. The Next button is disabled until a policy name is entered.

Step 2 — Filters

Filters are category-based blocklists. Enable the categories you want to block.

Categories are grouped by type:

Security

  • Malware — blocks malware infrastructure, command-and-control servers, and botnets. Supports three modes: Relaxed, Balanced, Strict. Strict mode uses broader detection and may produce false positives — monitor the Event Logs after enabling.

  • Phishing — blocks phishing and credential-harvesting domains.

  • New Domains — blocks recently registered domains (under 30 days old).

  • Dynamic DNS — blocks dynamic DNS providers commonly used to hide malicious infrastructure.

Content Adult Content, Gambling, Drugs, Dating, Clickbait

Productivity Social, Games, File Hosting, Torrents & Piracy, AI Tools

Technical Ads & Trackers, VPN & DNS Bypass, URL Shorteners, Crypto, Streaming Video

Malware and Phishing are pre-selected as recommended. Review all categories and enable what fits your policy's purpose.

Note: Custom Rules (Step 4) override Filters. If a domain is in a blocked category but needs to be accessible, add a Custom Allow rule in Step 4.

Step 3 — Services

Services block or allow specific apps by name. Each service is a bundle of all domains and CDNs used by that app.

Available groups: Social, Audio, Video, Messaging, Productivity, Gaming.

Toggle each service you want to block. Use services when you need precision — for example, block TikTok but not all Social content, or block YouTube but keep Google Meet accessible.

Note: Services block all domains in the app's bundle. To allow access to a specific subdomain within a blocked service, add a Custom Allow rule in Step 4.

Step 4 — Custom Rules

Custom Rules are the highest-priority layer. They override Services and Filters.

To add a rule:

  1. Click Add Rule.

  2. Enter the pattern.

  3. Select a pattern type.

  4. Set the action: Allow or Block.

  5. Optionally add a note.

  6. Click Save Rule.

Pattern types

Type

When to use

Domain + All Subdomains

Matches the domain and all its subdomains. Recommended for most rules.

Exact Domain Only

Matches only the exact domain entered. No subdomains.

Substring Wildcard

Broad match. Use with caution — high false-positive risk.

TLD Block

Blocks all domains under a top-level domain, e.g., .xyz.

IP / CIDR

Matches by IP address or IP range.

Regex (Advanced)

Flexible pattern matching. Limit to 10 per policy. Available under Advanced Options.

A live preview below the pattern field shows which domains the rule will match before you save it.

Common uses for Custom Rules:

  • Allow a domain blocked by a Filter (e.g., allow payroll.acme.com while blocking File Hosting)

  • Allow a subdomain within a blocked Service (e.g., allow meet.google.com while YouTube is blocked)

  • Block a specific domain not covered by any Filter or Service

Create the policy

After completing Step 4, review the Policy Summary panel on the right to confirm your configuration. Check:

  • Policy name

  • Block Response Method

  • Active Filters (number enabled)

  • Active Services (number enabled)

  • Custom Rules (number added)

Click Create Policy to create the policy.

On success, you are taken to the policy's detail page.

If you need to leave the wizard

Clicking Cancel or navigating away shows a confirmation dialog: "Leave wizard?" Progress is not saved. Click Leave to exit or Cancel to stay in the wizard.

Assign the policy to device groups

After the policy is created, assign it to device groups so filtering begins.

From the policy's Assignments tab:

  1. Click Assign Groups.

  2. Search for and select one or more device groups.

  3. Click Assign groups.

Filtering begins at the next DNS query cycle on assigned devices.

Tip: Before a broad rollout, assign the policy to a test device group first. This lets you validate filter behavior and catch unexpected blocks before affecting your full fleet.

Conflict warning: If a device group is already assigned to another DNS Security policy, a conflict badge appears on that group. A device group can only be actively filtered by one DNS Security policy. Remove the group from the other policy to resolve the conflict before assigning.

Verify the policy is active

On the Overview page, check the Deployment Posture section:

  • MDM DNS Profile Applied — confirms the Trio DNS resolver is pushed to devices via MDM

  • Agent Active — confirms the filtering agent is running

  • Anti-bypass Enabled — confirms VPN/DNS bypass protection is active

The policy's status badge on the Policies list should show Active. DNS query events will appear in Event Logs once the first queries are processed.

Related Articles
Trio Education Glossary: What Everything Actually Means
Software Policy
Configure a DNS filtering policy
Monitor DNS activity with Event Logs
Configure DNS Security settings
Did this answer your question?