Once you know of a phishing attack (or malware activity) you need to check what users fell for it. For prevention, your run of the mill phishing campaign blasts emails at a large number of recipients,you can block domains it uses to prevent infection or visits to malicious URLs.
In essence,defenders need to monitor for and block attacker infrastructure.
Though I will say inspecting DNS for phishing protection is like watching your front door to catch a burglar.