[willcipriano]

Fair enough. On the other hand it can also prevent users from stumbling upon malware distribution sites by both blocking them directly and secondly blocking advertisements that often link to malware.

All of this of course is part of defense in depth, multiple layers of incomplete protection is better than nothing at all.

[acdha]

Oh definitely, I'm not saying that there's _no_ benefit — the key point is the distinction between something which you control to something you don't. DNS filtering is good for clients you control but it's important to understand that you can't force malware to use it to avoid accidentally thinking that you're protected against other threats (which I've heard various times from people who should know better but weren't thinking about it carefully in-depth at the time).