Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=DNS-protection

DNS Protection

DNS Protection provides a globally available secure DNS resolution service with integrated policy controls and reporting in Sophos Central. It uses SophosLabs' real-time threat intelligence to protect your organization from malicious domain activity and allows you to define policies or domain lists according to your corporate policies.

To use DNS Protection, you must add the locations you want to protect to Sophos Central by specifying the public IP addresses of their networks. You must then update the DNS settings on your networks to use DNS Protection for resolving DNS requests. DNS Protection will always block sites SophosLabs flags as a threat or security risk. So, any DNS requests coming from your account will be protected.

You can also create your own policies to allow and block domains individually or by category and assign them to locations.

For domains you've blocked, users can see a message (HTTPS response) explaining why these domains are blocked. To show this HTTPS response, ensure you install the DNS Protection root certificate in users' browsers.

You can use logs and reports to check whether or not DNS requests are going through DNS Protection and troubleshoot other issues with DNS Protection.

The DNS Protection dashboard shows the usage summary, a graph of the web gateway traffic, and a table highlighting the number of queries for the top domains in the last seven days.

Note

DNS Protection is an IPv4-based DNS service that's also capable of resolving IPv6 addresses. You don't need a separate IPv6 DNS server to resolve IPv6 addresses.

Licensing

To use DNS protection, you must have one of the following licenses:

  • Xstream Protection: Includes only the standalone DNS Protection capabilities and doesn't include Sophos Endpoint. This license is Sophos Firewall's Xstream Protection subscription. For Xstream Protection license details, see DNS Protection licenses.

  • Workspace Protection: Includes DNS Protection for endpoints. This integration secures DNS traffic generated from computers protected by Sophos Endpoint. To use DNS Protection for endpoints, you must have a Workspace Protection license. For Workspace Protection license details, see Workspace Protection licenses.

Both licenses include the DNS over HTTPS feature.

These pages describe how to set up and use standalone DNS Protection. For details about Sophos DNS Protection for endpoints, see Endpoint DNS Protection policy.

Set up DNS Protection

To set up DNS Protection, you must do as follows:

  1. Add locations you want to protect. See Locations.
  2. Set up your network. See Set up your network.
  3. Add policies. See Policies.

Here's a video of the DNS Protection initial setup:

For DNS fundamentals, see the following video:

Role-based access control (RBAC)

DNS Protection access depends on the administration roles you've defined in Sophos Central. For more information, see Administration Roles.