Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=endpoint-dns-protection-policy-configure

Configure Endpoint DNS Protection policy

The Endpoint DNS Protection policy is available only if you've joined the Workspace Protection early access program (EAP).

To configure the Endpoint DNS Protection policy, you must add the devices you want to protect, turn DNS Protection on, and specify additional settings, such as domain exclusions and block pages.

Requirements

You must meet the following requirements to configure this policy:

  1. Join the Workspace Protection and New Endpoint Protection Features early access programs (EAPs).

    To join the EAPs, do as follows:

    1. Go to your Profile icon Profile icon. and click Early access programs.
    2. Click Workspace Protection and New Endpoint Protection Features to join these programs.

  2. Make sure you've installed the Endpoint agent on all the devices you want to protect. See Endpoint.

Turn DNS Protection on in the Endpoint agent

To turn DNS Protection on in the Endpoint agent, do as follows:

  1. Go to My Products > Endpoint > Computers.

  2. Select the computers you want to protect and click Manage Endpoint Software.

    Note

    You can only add Windows endpoints. Windows Server and macOS endpoints aren't supported at this time.

  3. Under DNS, select Install.

    Note

    You will see DNS & ZTNA instead of DNS if you have a ZTNA license.

  4. Click Save.

Create an Endpoint DNS Protection policy

To create an Endpoint DNS Protection policy, do as follows:

  1. Go to My Products > Endpoint > Policies and click Add policy.
  2. Under Type, select Device.
  3. In Feature, select Endpoint DNS Protection and click Continue.

  4. Add computers or computer groups you want to protect.

    Note

    You can only add Windows endpoints. Windows Server and macOS endpoints aren't supported at this time.

  5. Click Policy Active and make sure Policy is Active is turned on. It's turned on by default.

  6. Click Settings to set up DNS Protection.

Settings

You can turn DNS Protection on, add domain exclusions, and specify settings to show block pages.

Turn DNS Protection on

To turn DNS Protection on, do as follows:

  1. Turn Use Sophos DNS Protection on.

  2. Select the location to which you want to assign the devices. You can select the Default location, or configure a new location in DNS Protection and then select it from this list. See Add a location (Workspace Protection EAP).

    Note

    If you create a new location in DNS Protection, make sure you select Secure DNS as the connection method.

Domain exclusions

You can specify the domains that you don't want Sophos Endpoint to redirect, allowing them to be resolved by your local or network DNS server.

  • Domains: Add the domains you want to exclude from DNS Protection. All subdomains of these domains are automatically excluded.
  • Retry with system- or application-configured DNS services when DNS Protection returns NXDOMAIN: DNS Protection returns an NXDOMAIN response if the queried domain name can't be resolved from public DNS records. For example, if your organization uses private DNS zones hosted by an internal DNS server for local network resources. Select this option to retry these requests without redirecting them to DNS Protection.

Tip

For best performance, we recommend that you add the domain names of internal zones to the domain exclusion list, instead of relying on the retry option.

Show block pages

Turn Automatically deploy the DNS Protection signing certificate to devices to show block pages on.

DNS Protection shows block pages for the domains you've blocked. Block pages show a message explaining why these domains are blocked. To ensure your users see these block pages, you must install the DNS Protection root certificate on users' devices.

Turn this option on to automatically install the root certificate in users' devices.