NOTE: Webroot recommends installing the DNS Protection agent to endpoints and configuring the network to use DNS Protection in order to achieve the best results. This will provide coverage at both the perimeter and device level, providing more comprehensive coverage.
The information contained in this article covers configuring the network component. For additional information on how to deploy the agent software, please see the User Guide by clicking here.
There are three main steps involved in configuring the network settings:
Configuring the Webroot Console
1. After logging into the Admin console and selecting sites, choose the site that you want to configure and click the Manage button.
2. Under Sites, select the DNS tab.
3. Scroll down to the Network Settings section and click the Add Row button.
4. In the IP Address field enter the appropriate WAN IP (external IP or egress IP) for the IP Address. If you are unsure of your WAN IP, one method to retrieve it is to go to www.google.com and enter what is my ip.
5. From the Policy drop-down menu, select a policy to be used.
The policy applied will only apply to devices that do not have an agent policy assigned.
Testing the Webroot DNS Protection Servers
Now that the DNS Protection service has been configured with the proper WAN IP, it is time to test, using the process below. Make sure to execute the test from an endpoint that is on this network.
- Open a command prompt.
- Type nslookup
- Change the server to be 18.104.22.168, type server 22.214.171.124[list]
- Note: This IP only serves requests from network DNS requests; agent requests are handled by a different system.
Configuring the network
The DNS forwarders have to be configured to send DNS requests to the proper IP addresses. On your router or Windows server, set up the DNS forwarders to reflect these settings:
- DNS1: 126.96.36.199
- DNS2: 188.8.131.52
- DNS3: Failover DNS Server; check with ISP or use 184.108.40.206, which is Google’s free DNS service
The Webroot DNS Protection service requires the following IP addresses and ports be allowed on any perimeter security devices (firewalls, IPS/IDS) to function correctly:
- 220.127.116.11 (Required for DNS Protection client)
- 18.104.22.168 (Required for DNS Protection client)
- 53 (TCP & UDP)
- 7777 (TCP & UDP - Required for DNS Protection client)