I started using #cloudflare’s 1.1.1.2/1.0.0.2 DNS servers (Comcast doesn’t seem to be filtering that). It will automagically filter out known malware sites, which is nice for the folks on my LAN.

Here’s a URL you can test with: https://phishing.testcategory.com/

A normal DNS will resolve that to a resolvable IP, Cloudflare (and others with similar services; pick your favorite) will resolve it to 0.0.0.0, a non-routable IP, preventing your users from accessing it.