Blocking Malicious and Anonymous Domain Names
Web filters block known harmful domains and those registered anonymously or for free.
Plain language
This control is about using web filters to automatically block access to harmful websites, including those that hide who registered them or can be set up for free. If we don't do this, people in your organisation could accidentally visit dangerous websites, leading to data breaches or security issues.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for gatewaysSection
Web content filtersOfficial control statement
Malicious domain names, dynamic domain names and domain names that can be registered anonymously for free are blocked by web content filters.
Why it matters
If malicious, dynamic or free anonymous domains aren’t blocked by web filtering, users may browse to phishing/malware sites, causing credential theft, malware infection and data loss.
Operational notes
Keep web content filter threat feeds current, enable blocking for malicious, dynamic DNS and free anonymous domains, and review web proxy/DNS logs to tune categories and add emerging domains.
Implementation tips
- IT team should set up a web filtering tool: They need to install software designed to block access to known harmful or suspicious websites. This involves using services that maintain lists of such websites and configuring the software to enforce these restrictions.
- Managers should educate staff about web filtering: They need to hold short training sessions explaining why certain websites are blocked. This helps people understand that these measures are in place for security, even if they find it inconvenient.
- Procurement should ensure web filters are up-to-date: When buying or renewing software, they should check that the web filtering tool auto-updates to the latest list of harmful websites. This keeps protection current as new threats emerge.
- System owners should regularly test the web filter: They need to check that it's correctly blocking known bad websites and reporting what it's doing. Set this up as a monthly task and review any user complaints about false positives (websites wrongly blocked).
- Security teams should monitor block reports: Regularly review reports generated by the filtering software to see which sites are being blocked and investigate any patterns that suggest new threats. Adjust policies if new types of threats are identified.
Audit / evidence tips
-
Askthe web filter installation documentation: Request records from the IT team detailing what software is used and how it's configured to block anonymous or free domains
Goodis clear settings that show these kinds of domains are actively blocked
-
Askrecords of staff training sessions: Request the schedule and agenda of meetings held to educate staff about web filtering
-
Askto see the subscription details of the web filter: Request documentation of the current software subscription
Goodindicates up-to-date subscription with automatic updates enabled, showing the organisation is actively managing this risk
-
Askthe test logs of the web filter: Request records from system owners showing the results of recent tests on the web filtering system
Goodincludes a log with blocked sites and any corrective actions taken
-
Askaccess to recent block reports: Request to see recent reports from the web filtering software
Goodincludes a summary of findings and actions taken by the security team
Cross-framework mappings
How ISM-1236 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.23 | ISM-1236 requires web content filters to block malicious domains, dynamic domains, and domains that can be registered anonymously for free | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.