Installing the DNS Protection agent through Endpoint Protection

In instances where both Endpoint Protection and DNS Protection will be used, the DNS Protection agent should be installed through Endpoint Protection. If the MSI is used on systems already running Endpoint Protection, or if Endpoint Protection is added to a system already running DNS Protection, Endpoint Protection will manage the DNS Protection agent per its configuration.

To deploy the DNS Protection agent using an Endpoint Protection Policy:

1. In the navigation pane, go to Manage > Policies.

2. From the Endpoint Protection tab, select the Policy that uses the Entities that you want to install the DNS Protection agent on.

   • We recommend that you make a copy of this Policy. Once editing is complete, this new Policy can be applied to the Entities that you want to install the DNS Protection agent on.

   • Alternatively, this Policy can be edited (excluding System Policies) to install the DNS Protection agent. In the Policy Usage section, you can identify which systems will be affected.

3. In the DNS Protection section, turn Install DNS Protection to On.

4. Click Save.

This new Policy can now be applied as default, to Groups, and individual Entities.

The next time Entities using this Policy check in, the DNS Protection agent is installed.

When a DNS Protection agent is installed on an endpoint, the following occurs:

• The DNS Protection agent will validate the keycode as well as the associated DNS Protection license.

• The agent will automatically update to the most recent available version.

• A new service called “Webroot DNS Protection Agent” is created and started.

• When the service starts, the DNS settings for the active network adapter are identified for internal DNS resolution, such as Active Directory.

• The service then sets the network adapter DNS settings (both IPv4 and IPv6) to loopback addresses (127.0.0.1 and ::1), so that DNS requests are redirected to the agent.

• All external DNS requests are sent via DoH (DNS over HTTPS) to the DNS resolvers for fast, filtered resolution.

• All Active Directory and local DNS requests are resolved by the previously identified DNS resolvers for the active network adapter.

• While the DNS Protection agent service is running, any network adapter DNS changes are promptly reverted to loopback.

• If the service is stopped or the agent is uninstalled, the network adapter DNS settings are returned to their original settings.

DNS Protection agents will uninstall in the following situations:

• If you are using a trial of DNS Protection in conjunction with Endpoint Protection and it expires, the DNS Protection agent is automatically uninstalled the next time the device checks in.

• If the Endpoint Protection Policy is changed to no longer install DNS Protection, DNS Protection is automatically uninstalled the next time the device checks in.

• If an Uninstall Agent Command is sent to any device running DNS Protection.

• If the DNS Protection agent is uninstalled from Add/Remove Programs. Note that if the agent was installed by the Endpoint Protection agent, it will automatically be reinstalled.

• If a Site is deactivated, the DNS Protection agent will automatically uninstall.

DNS Protection agents will stop filtering and managing DNS requests if the DNS Protection agent was installed directly with the MSI (not through Endpoint Protection) and the license or trial expires. The DNS Protection agent will then return the DNS settings to their original values and will only resume filtering once the license is validated again. Note that the Uninstall Agent Command will remove the DNS Protection agent from the Entity.