Skip to content

DNS Protection


This feature is currently in the Early Access Program (EAP). Register for the EAP.

DNS Protection provides a globally available secure DNS resolution service. It prevents your users from accessing domains that don't comply with your corporate policy.

To use DNS Protection, you must add the locations you want to protect to Sophos Central by specifying the public IP addresses of their networks. You must then update the DNS settings on your networks to use DNS Protection for resolving DNS requests. DNS Protection will always block sites SophosLabs flags as a threat or security risk. So, any DNS requests coming from your account will be protected.

You can also create your own policies to allow and block domains individually or by category and assign them to locations.

For domains you've blocked, users can see a message (HTTPS response) explaining why these domains are blocked. To show this HTTPS response, ensure you install the DNS Protection root certificate in users' browsers.

You can use logs and reports to check whether or not DNS requests are going through DNS Protection and troubleshoot other issues with DNS Protection.

The DNS Protection dashboard shows the usage summary, a graph of the web gateway traffic, and a table highlighting the number of queries for the top domains in the last seven days.


DNS Protection is an IPv4-based DNS service that is also capable of resolving IPv6 addresses. You don't need a separate IPv6 DNS server to resolve IPv6 addresses.

Set up DNS Protection

To set up DNS Protection, you must do as follows:

  1. Add locations you want to protect. See Locations.
  2. Set up your network. See Set up your network.
  3. Add policies. See Policies.