WatchDog Blog

Secure DNS, Filtering, and Egress Control for IoT Networks

Most people focus on inbound attacks—open ports, exposed admin panels, and risky services. Those matter. But in modern IoT environments, many compromises become visible first through outbound behavior: unusual domains, unexpected connections, and traffic that doesn’t match a device’s purpose. DNS is where that story often starts.

Secure DNS, Filtering, and Egress Control for IoT Networks

Secure DNS, Filtering, and Egress Control for IoT Networks

Why DNS is a security control (not just a network detail)

DNS influences security in three ways:

  • Detection: unusual domain lookups can indicate malware, adware, or compromised devices calling home.
  • Prevention: blocking known malicious or unnecessary domains can prevent connections before they happen.
  • Privacy: controlling resolvers reduces data leakage and helps limit vendor telemetry where appropriate.

The key mindset shift is this: if you can’t fully trust the device, then you shouldn’t fully trust its outbound destinations. You can still allow what’s needed for functionality, but you can do so intentionally.

The DNS “blast radius” problem in IoT

IoT devices often ship with aggressive cloud dependencies: telemetry, analytics, update checks, and remote management endpoints. Some of those endpoints are necessary; some are “nice to have” from the vendor’s perspective. If a device is compromised, it may also begin resolving and connecting to attacker-controlled infrastructure. Without DNS visibility, all outbound traffic can look the same.

Two factors make IoT DNS risk worse:

  1. Opaque behavior: many devices provide no UI to show what they connect to or why.
  2. Uniform trust: a default router configuration typically allows any device to resolve any domain using any resolver.

The result is a network where the least trustworthy devices can talk to almost anything—exactly the opposite of least privilege.

Practical DNS architectures for small networks

You don’t need enterprise DNS appliances to improve security. A few practical approaches work well:

Option A: Use the router as DNS (simplest)

Many routers forward DNS requests to an upstream resolver. This is easy, but you may have limited logging and filtering. If your router supports basic DNS filtering, it can still be worthwhile for quick wins.

Option B: Use a local DNS resolver with filtering (balanced)

A local resolver (running on a small computer or server) can provide better visibility and policy control. The goal isn’t to over-engineer; it’s to gain a stable point where you can apply rules consistently. Many setups also benefit from caching, which can reduce latency.

Option C: Managed DNS security service (low-maintenance)

Some organizations prefer a reputable managed DNS security provider that blocks known malicious domains. This can reduce operational burden, but you should still consider privacy tradeoffs and ensure you can audit and control the policy.

DNS filtering strategies that remain professional and realistic

“Block ads” is not a security strategy by itself (though it can reduce some exposure). A security-oriented filtering approach focuses on:

  • Known malicious infrastructure: domains associated with malware, phishing, and command-and-control.
  • New/unknown domains for IoT: if a thermostat suddenly queries a brand-new domain unrelated to its vendor, that is worth investigation.
  • Risky categories: newly registered domains, dynamic DNS providers, and suspicious TLD patterns—used carefully to avoid false positives.

The caution is important: over-blocking breaks devices and trains users to disable protections. Your goal is sustainable security: a policy that works day-to-day.

What about DoH/DoT (encrypted DNS)?

Encrypted DNS such as DoH (DNS-over-HTTPS) and DoT (DNS-over-TLS) improves privacy by preventing passive observers from reading DNS queries. However, it can also bypass local DNS logging and filtering if devices use their own encrypted resolvers.

In a small environment, the practical approach is:

  • Use encrypted DNS for your own trusted devices where feasible, for privacy.
  • For IoT segments, prefer enforcing a single resolver so you can apply security policy and detect anomalies.
  • Block outbound DNS to the internet except to your chosen resolver(s) when your router/firewall supports it.

This is egress control applied to DNS: not “no DNS,” but “DNS through a known policy point.”

Egress control: the overlooked half of segmentation

Segmentation controls east-west traffic (device-to-device). Egress control controls north-south traffic (device-to-internet). For IoT, egress control is powerful because many devices have a narrow functional requirement: they talk to a small set of vendor endpoints.

A mature approach is allow-listing, but allow-listing can be difficult because vendors use CDNs and rotating domains. A pragmatic middle ground is:

  1. Block inbound exposure (no port forwarding to IoT, disable UPnP).
  2. Constrain outbound destinations where practical (DNS filtering + category blocklists).
  3. Monitor for “new destinations” and treat them as events worth explaining.

How to integrate DNS security with WatchDog’s scanning workflow

WatchDog focuses on LAN visibility: discovery, open ports, and monitoring. DNS security complements that by adding outbound visibility. Put them together and you get a stronger operational story:

  • Device inventory (WatchDog): know what exists and where it is.
  • Exposure mapping (WatchDog): know which services are reachable inside the LAN.
  • Outbound policy (DNS/egress): know where devices are allowed to connect.
  • Drift detection (both): watch for new ports and new domains.

This reduces the chance that a compromise goes unnoticed. Even if an attacker doesn’t need inbound access, they often need outbound connectivity. Outbound controls and telemetry can break the attacker’s assumptions.

A practical “secure DNS” checklist for IoT segments

  1. Choose a DNS resolver strategy (router, local resolver, or managed DNS security).
  2. Enforce that IoT devices use your chosen DNS (where your router/firewall supports it).
  3. Enable DNS filtering for known malicious domains.
  4. Review new/unusual domains periodically and investigate outliers.
  5. Combine DNS signals with WatchDog scan drift (new devices, new ports) to prioritize investigations.

WatchDog tie-in: Use WatchDog to validate the “who” and the “what” on your LAN (devices and services), then use DNS controls to shape the “where” (destinations). Together, they provide a realistic defensive posture for home and SMB IoT environments.