Proactive Protection, Zero Delay
DNS is the gateway to all internet activity. By securing it, you stop threats before they reach your endpoints. Our Real-Time DNS Filtering solution delivers powerful, always-on protection that enforces security policies at the network layer—without slowing down performance or disrupting users.
How Every Query Is Processed
Each DNS query passes through a multi-stage filtering pipeline before a response is returned:
What Gets Blocked
DNSCircle blocks access to harmful and unwanted content by category:
Malware & Ransomware
Domains distributing malicious payloads, spyware, and ransomware are blocked before they reach any endpoint.
Phishing
Sites impersonating trusted brands to steal credentials are identified and blocked in real time.
Command & Control
C2 servers used by botnets and remote attackers are cut off at the DNS layer.
DoH Bypass Prevention
182+ known public DoH providers (Cloudflare, Google, Quad9, Apple Private Relay, etc.) are blocked to prevent users from circumventing your filtering.
Cryptojacking
Sites that hijack compute resources for cryptocurrency mining are blocked automatically.
Content Categories
Adult content, gambling, violence, social media, streaming — configurable content categories to match your organization’s acceptable use policy.
AI-Powered Domain Classification
When a domain is not yet known to any category database, DNSCircle falls back to a machine-learning classifier — no human curation required and no query held up waiting for a verdict.
How It Classifies
- Feature extraction — lexical, structural, and reputation signals from the domain
- Trained ML model — classifies against the same category taxonomy as the rest of the engine
- Confidence scoring — low-confidence verdicts flagged for review rather than trusted blindly
- Large-model review — optional Claude-backed second opinion for ambiguous domains
Most DNS filters are only as good as their blocklist. DNSCircle classifies previously unseen domains on the fly so protection extends beyond any static list.
Granular Policy Engine
Create precise access policies tailored to your organization. Every policy supports multiple actions, scoping levels, and time-based scheduling.
Actions & Priority
- Block — deny access and return sinkhole IP
- Allow — override blocks for specific categories
- Log — record without blocking
- Priority system — lower number wins when policies conflict
- Hit tracking — every policy tracks how many queries it has matched
Multi-Scope Targeting
- Tenant-wide — applies to all users
- Group-scoped — applies to specific user groups
- User-scoped — applies to individual users
- Multi-scoped — target both groups and users simultaneously
Schedule-Based Enforcement
Policies activate only during configured time windows — allowing you to enforce different rules during work hours, after school, or on weekends.
| Schedule Parameter | Description | Example |
|---|---|---|
| Days of Week | Select specific days (Monday–Sunday) | Mon, Tue, Wed, Thu, Fri |
| Time Range | Start and end time in local timezone | 09:00 – 17:00 |
| Date Range | Calendar start and end dates | 2026-01-15 – 2026-06-30 |
All schedule parameters are optional. Leave any field empty for no restriction on that dimension. A policy with no schedule is always active.
Domain Overrides & Custom Categories
Categories cover the broad strokes. Overrides and custom categories let you handle the exceptions — at the exact scope you need.
Allow / Block Lists
Explicit allow or block entries evaluated before any category lookup. Perfect for whitelisting a SaaS vendor blocked by a category, or blocking a specific URL without a policy change.
Scoped Per User, Group, or Tenant
The same domain can be allowed for one user, blocked for a group, and logged for everyone else — all from one override table with clear precedence.
Custom URL Categories
Create your own categories (e.g. “Partner Portals”, “Internal Tools”) and populate them with domains. Reference them from any policy like a built-in category.
Bulk CSV Import
Import hundreds of domains in one operation. Comment field captures the reason for the override so the context survives staff turnover.
Per-User & Per-Group Filtering
Each user receives their own DoH token for individual tracking and policy enforcement.
Automatic Threat Intelligence
DNSCircle builds your threat intelligence database as it filters — no manual curation needed.
Auto-Recording
Domains matching your configured threat categories are automatically added to the threat intel database with threat type, severity, and block count.
Per-Tenant Configuration
Map any content category to a threat type (malware, phishing, C2) and severity level (high, medium, low) for your organization.
Dashboard Integration
Recent threats appear on the real-time dashboard with severity badges, block counts, and first-seen timestamps.
Profile Compliance Monitoring
DNS filtering only works when the DoH profile is actually installed. DNSCircle continuously verifies that every enrolled user is still routing through your server.
Gap Detection
- Per-user heartbeat — every DNS query is a liveness signal
- Configurable thresholds — flag users after 6 hours to 7 days of silence
- Status classification — Active, Profile Removed?, or Never Connected
- Per-tenant view — compliance posture at a glance
Why You Need It
- Catch profile tampering — users who uninstall the DNS profile to bypass filtering
- Find stalled rollouts — devices that never completed enrollment
- Audit evidence — demonstrable coverage for compliance reviews
- Early warning — surfaces problems before users report them
Encrypted DNS-over-HTTPS
All filtering happens over encrypted DoH connections. No plaintext DNS — every query is encrypted end-to-end.
| Capability | Detail |
|---|---|
| Encryption | TLS 1.2+ with certificate-based encryption |
| Protocol | HTTP/1.1 and HTTP/2 (via nghttp2) |
| Methods | GET (RFC 8484 base64url) and POST (application/dns-message) |
| Routing | SNI-based multi-tenant isolation |
| Bypass Prevention | 182+ public DoH providers blocked |
Deployment
DNSCircle works as a cloud DNS filter. Point your devices to your DoH endpoint and filtering starts immediately.
Windows
Native Go client with a graphical installer. Runs as a Windows service, listens on port 53, proxies to DoH, starts at boot, and cleanly restores DNS on uninstall.
macOS & iOS Profile
Signed configuration profile sets the DoH server system-wide. Install by hand via a QR code or push to fleets through MDM.
iOS VPN App
Native SwiftUI app with an on-demand Network Extension. Routes only DNS through DoH (no traffic tunneled), auto-reconnects, and sends a heartbeat every 15 minutes for compliance.
Android
Native Android app pins devices to the tenant’s DoH endpoint for the full Android fleet — personal or managed.
Apple MDM
Built-in lightweight MDM server: push certificate onboarding via mdmcert.download, enrollment QR codes, profile push, and live command history per device.
Routers & Networks
Point your network’s DNS to DNSCircle’s DoH endpoint for organization-wide filtering without touching individual devices.
Every user and device gets a unique DoH URL for individual tracking. Tenant-level tokens cover the whole organization; user-level tokens enable per-person policies and reporting.
Complete Query Logging
Every DNS query is logged with full context for security audits, incident investigation, and compliance:
| Field | Description |
|---|---|
| Domain | The queried domain name |
| Action | Allowed, Blocked, SafeSearch Redirect, or IP Denied |
| Category | Matched content category |
| User | Resolved user name from DoH token |
| Client IP | Source IP address of the query |
| Latency | Query processing time in milliseconds |
| Timestamp | UTC timestamp with timezone display support |
Built for MSPs and Channel Partners
DNSCircle is multi-tenant from the ground up. Run a single deployment for thousands of customers, or distribute through a reseller channel with full scoping.
MSP Console
- Unlimited tenants under one MSP console with hard data isolation
- Aggregated reports across the portfolio
- Per-tenant sinkhole IP, allowlist, timezone, and branding
- Auto-assign licenses when new users are created or bulk-imported
Channel Partner Tier
- License pooling — MSP issues licenses to partners, partners distribute to tenants
- Scoped admin — partners see only their own tenants’ data
- Global partner policies — one policy applies across all of a partner’s tenants
- Role-aware editing — policies tagged by creator role so downstream admins cannot weaken guardrails
Why DNSCircle
Purpose-Built Engine
High-performance C filtering engine — not a proxy or wrapper around third-party services.
Priority-Resolved Policies
Flexible allow/block/log rules with user, group, and schedule scoping that resolve conflicts predictably.
DoH Bypass Prevention
182+ known public DNS providers blocked so users cannot circumvent your filtering.
Zero Plaintext Exposure
All queries encrypted via DoH with TLS 1.2+ and HTTP/2 support.
Multi-Tenant Isolation
Complete data isolation between tenants. MSP-ready with aggregated views.
Real-Time Dashboard
WebSocket-powered live dashboard updating every 5 seconds with query stats, threats, and top domains.
AI-Augmented Categorization
Machine-learning classifier handles unknown domains so protection extends beyond any static blocklist.
Compliance-Grade Visibility
Profile compliance monitoring, complete per-user query logs, and auto-built threat intel for audit and incident response.
Ready to Secure Your DNS?
Start protecting your users, data, and reputation with real-time DNS filtering.
Get Started