Most articles about web filtering treat DNS filtering and URL filtering as interchangeable names for the same thing. They are not. They operate at different layers of the network stack, have different security properties, and fail in different ways. If you are responsible for a network and you need to enforce web access policies, understanding the distinction matters — particularly around HTTPS traffic, where the commonly held assumptions are frequently wrong. Let's dig into what's actually happening at the protocol level. DNS filtering: fast, but operating on the wrong layer DNS filtering intercepts DNS resolution queries. When a client resolves malicious-site.com , the filter sees the query, checks its blocklist, and either returns NXDOMAIN or redirects to a block page instead of the real A record. The implementation is simple and the performance overhead is minimal. But it has two architectural weaknesses that matter in practice.…