Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=DNS-protection-network-setup

Set up your network

To set up your network to use DNS Protection, you must update the configuration of your network or devices to ensure that DNS requests are resolved using the DNS Protection IP addresses.

You must set up the network at every location you add to DNS Protection.

DNS servers

Most networks use DHCP to instruct devices which DNS server to use. You may have manually configured some devices to use specific DNS servers.

If you've already configured your devices to use a local DNS resolver on your network, such as Windows DNS or Sophos Firewall's DNS feature, you must update that resolver to use DNS Protection as the DNS forwarder.

See the instructions for the DNS server you use:

If you're using an external DNS service (such as Google Public DNS or Cloudflare DNS), you must update the configuration of your DHCP server to replace the existing service IP address with the DNS Protection IP address.

If you've manually configured devices to use an external DNS service, configure them to use DNS Protection directly.

See the instructions for your users' devices:

Recommendations

We recommend you do as follows:

  • To prevent DNS hijacking by ISPs, add the DNS Protection IP addresses to the DNS settings on your router.
  • Turn off Limit IP Address Tracking on iPhone devices.

DNS Protection root certificate

To ensure your users see block pages, you must install the DNS Protection root certificate in your users' devices.

See the instructions for your users' devices:

If you're using a firewall with SSL/TLS inspection turned on, you must upload the HTTPS scanning CA certificate used in the firewall to your users' devices. For Sophos Firewall, see Sophos Firewall: Install the SSL CA certificate. If you're using another firewall, see your firewall's documentation.

Check your configuration

To check your DNS Protection configuration, do as follows:

  1. Go to My Products > DNS Protection > Installers.
  2. Under Check your configuration, click Copy next to URL.

  3. In a web browser, type the URL you copied.

    If you see the welcome message, you've configured DNS Protection correctly.