Skip to main content

Monitor DNS activity with Event Logs

Event Logs record every DNS query made by devices under active DNS Security policies — both allowed and blocked. Use them to verify filtering is working, investigate unexpected blocks, and create new rules directly from events.

Navigate to Event Logs

Go to Security > DNS Security > Event Logs.

You can also access a policy-scoped log from any policy's Activity Log tab, which shows the same data filtered to that policy only.

Filter events

Use the filter bar to narrow the event list.

Filter

Options

Time Range

Last 1h, Last 6h, Last 24h, Last 7 days, Last 30 days, Custom range

Policy

Select one or more policies

Action

Allowed, Blocked, or all

Layer

Custom Rule, Service, Filter, or all

Device

Search by device name

Domain

Search by domain string

Applied filters appear as chips below the filter bar. Remove individual filters by clicking the chip, or clear all filters to reset the view.

Read the events table

Each row shows:

  • Timestamp — exact time of the DNS query

  • Device — the device that made the query

  • Domain — the domain that was queried

  • Action — Allowed or Blocked

  • Matched Layer — which filtering layer determined the outcome

  • Policy — the DNS Security policy that processed the query

The Matched Layer column is the fastest way to understand why a domain was allowed or blocked. Examples:

  • Malware filter — Balanced mode — blocked by the Malware filter

  • Custom Rule — Block: example.com — blocked by a specific custom rule

  • Service — YouTube — blocked because YouTube is enabled in the Services layer

  • No match — allowed — no filter, service, or custom rule matched; the query resolved normally

View event detail

Click any row to open the Event Detail panel on the right. It shows:

Event

  • Timestamp

  • Action: Allowed or Blocked

Domain

  • Full domain queried

  • DNS query type (A, AAAA, CNAME, etc.)

Matched Rule

  • Which layer matched and what the specific rule or filter was

  • Example: Custom Rule: Block — malicious-domain.xyz or Malware filter — Balanced mode

Device

  • Device name (links to the device detail page)

  • OS and device type

Policy

  • Policy name (links to the policy's detail page)

Take action from an event

From the bottom of the Event Detail panel, you can act on the event directly.

Add Block Rule Creates a custom block rule for this domain in the matched policy. Opens the rule panel pre-filled with the domain and action set to Block. Available on Allowed events — use this when a domain is passing through that you want to stop.

Add Allow Rule Creates a custom allow rule for this domain in the matched policy. Opens the rule panel pre-filled with the domain and action set to Allow. Available on Blocked events — use this to create an exception for a domain that is being incorrectly blocked.

After saving the rule, the rule is added to the policy's Custom Rules and will apply to all future queries for that domain.

Copy Domain Copies the domain string to your clipboard.

View Device Opens the device detail page for the querying device.

View Policy Opens the matched policy's detail page directly to the Configuration tab.

Common investigation patterns

A domain is blocked but should be allowed

  1. Search for the domain in the Domain filter.

  2. Open the event.

  3. Check the Matched Layer — which filter or rule is blocking it.

  4. Click Add Allow Rule to create an exception. The rule will override the blocking filter.

A domain is passing through but should be blocked

  1. Find a recent Allowed event for the domain.

  2. Check whether any higher-priority layer (Custom Rule, Service, Filter) should be catching it.

  3. Click Add Block Rule to create an explicit Custom Block rule.

Verifying a filter is working after enabling it

  1. Set the Action filter to Blocked.

  2. Set the Layer filter to Filter.

  3. Check that the filter's expected domains appear in the results.

  4. If no blocked events appear, verify the policy is assigned to a device group and the DNS resolver is configured on those devices.

Finding which rule matched for a specific device

  1. Search by device name.

  2. Review the Matched Layer column for the domains you're investigating.

Overview — Recent Blocked Events

The DNS Security Overview page shows a summary feed of the 10 most recent blocked events across all policies. Click any row to open the Event Detail panel. Click View all events in the feed footer to go to the full Event Logs page.

Export events

Click Export CSV in the Event Logs page header to download the current filtered view.

Large exports are prepared in the background. You will receive a notification when the file is ready to download.

Event retention

Events are stored for 30 days by default. To change the retention period, go to DNS Security > Settings > General and update the Query Log Retention setting.

Events older than the configured retention period are not recoverable. A banner appears at the top of Event Logs when the current view includes the retention boundary.

Related Articles
Review Event Logs in Trio
Event logs in Trio MSP
Get started with DNS Security
Configure a DNS filtering policy
Configure DNS Security settings
Did this answer your question?