Enabling and configuring DNS Protection
To enable and configure DNS Protection:
-
In the navigation pane, click the Settings tab.
-
In the Subscriptions tab, activate a trial or enable a subscription to DNS Protection.
-
Enable DNS Protection for the desired Site.
-
If you are using the Managed Service Provider view, in the navigation pane, click the Sites List tab. Then, select the Site that you want to enable DNS Protection on and click the DNS Protection tab.
-
If you are configured for the Business view, in the navigation pane, click the DNS Protection tab.
-
-
Enable DNS Protection using the slider control.
-
If required, select your keycode type.
-
Full provides the full product with no limitations. You will be billed for this service.
-
Trial provides the full product, limited to a free, 30-day trial.
-
-
Under Agent Settings, select a default DNS Site Policy. Whenever a new agent is installed, this Policy is assigned by default.
-
DNS High Protection is the recommended starting Policy. It blocks all security categories as well as Human Resource Protections and Questionable/Legal content.
-
DNS Medium Protection provides the same security as DNS High Protection, but does not block Questionable/Legal content.
-
Custom Policies are also easily created. See Managing DNS Protection Policies.
-
-
Under Agent Settings, the Domain Bypass setting is provided to domains that need to be looked up by the local DNS resolvers, such as Active Directory domains.
-
Domains entered in the list are resolved by the local DNS resolver and are not filtered.
-
To avoid any possible resolution issues, we recommend that you add any Active Directory domains in use.
-
Wildcards can be used to include any Subdomains, such as *.webroot.com.
-
The Domain Bypass List only applies to the DNS Protection agent.
-
-
Under Network Settings, you can enter details to protect all devices on the network, such as guest or IoT devices, even if no agent is installed.
-
Static IP: Identify the public IPv4 address used for internet access (WAN IP).
-
Dynamic IP: If a static IP address is not available, a domain associated with Dynamic DNS service can be entered. Once a domain is entered, the current corresponding IP address will be displayed beside the Domain / IP Address box.
-
Select a Policy to associate with the IP address. Any DNS requests received from this IP address are resolved based on this Policy.
-
Select Add Network to complete adding the IP address for this network. Note that this change will not take effect until you click Save.
-
If you need to add multiple networks or circuits, add the additional Domains / IP Addresses, then click Add Network.
-
-
Under DNS Resolver Lookup, use the Network Location menu to identify the best DNS resolvers for your region. Note that this is not a setting, but rather a mechanism to identify the most appropriate resolvers.
-
Select the correct Network Location for the Site on which you have enabled DNS Protection.
-
The best primary and secondary DNS servers are shown.
-
Once you have identified the best resolvers, these IP addresses can be used as your DNS Forwarders (AD) of the DNS servers in your router.
-
nslookup www.webroot.com 35.226.80.229. If the server does not respond, verify the IP address entered in step 8 before updating your network configuration.
-
-
Under Advanced Settings, select whether the agent can be enabled on servers.
-
When checked, the DNS Protection agent will enable and try to filter on servers.
-
This is not typically recommended as the DNS Protection agent will conflict with Azure servers or with other services providing DNS resolution.
-
To protect DNS servers, we recommend that you use network filtering by registering the network and adding the resolvers as DNS Forwarders, as described in steps 8 and 9.
-
If you selected the Enable Agent on Servers check box, the DNS Protection agent will enable and filter on RDS / Terminal Service servers, as well as other servers without the DNS role.
-
-
When done, click Save.