Webroot DNS: Tech Deep Dive and Q&A

  • 23 April 2021
  • 0 replies
Webroot DNS: Tech Deep Dive and Q&A
Userlevel 7
Badge +48

DNS has acted as the directory of the internet since 1983. Only recently has it been upgraded to account for security and privacy concerns it wasn’t designed to address. In this video, DNS expert Jonathan Barnett explains how DNS-over-HTTPs (DoH) adds privacy and what it takes to keep it from interfering with security. It also includes a product demo, setup walkthrough and Q&A.


Questions and Answers

We had so many people asking great questions at the end of the demo that we thought we'd write these out for everyone. Lots of great info but if you have other questions for us, please ask away in the comments below. 


If you enable the “Install DNS Protection” setting on the policy but it’s not enabled at the site, will it install it?

There are three things required to install the DNS Protection Agent. 1) An active DNS license. 2) DNS enabled on the site. 3) “Install DNS Protection” enabled in the policy. Conversely, the DNS Agent will uninstall if the Policy does not have “Install DNS Protection” enabled or if DNS Protection is disabled on the site.

What’s the best way’s for MSPs to use this? As we have devices that traverse many different domains, would it be necessary to add every client’s local domain into the Domain Bypass List? Does the agent automatically ignore .locals?

The DNS Agent will query for the AD domain that the system belongs to and automatically exclude it. Additionally, .local, .localhost, .local domain, .internal, .home, .mail, .corp are automatically routed internally. The only time a domain needs to be added is when it is a valid TLD, which is generally an exception.

Dynamic IP support? How will that work as this is needed?

In the next console release, support for both domains and IPs will be available. This way you can add a static IP address to reference your network or you can add a domain and the corresponding IP will be looked up and registered.

When we setup DNS Protection years ago, we set up the Webroot DNS Forwarders as / Are these still valid or should we update to what the console is telling us by region?

These legacy DNS resolvers do still work but will be turned off in June 2021. Please update to the newly available IPs provided under the DNS tab that are appropriate for your region. The new resolvers are hosted on Google Cloud and are faster and more stable.

Can you white label the Block Page?

The block page can be customized by the addition of both text, links and even a logo.

A Mac version of the client DNS is still coming, right? I know Big Sur changed a lot, plus the new Apple silicon, but we do have a lot of Apple devices that are work from home.

Currently, any device, be it IoT, Server or Mac can be protected through the network. That said, we understand the need to a DNS Agent to be available and are actively working towards developing one.

If a customer has multiple locations with different DNS Servers, what happens when a user installs the DNS protection agent at one location and then travels to another location after which the user disables the DNS Service? Will it revert back to the original DNS settings captured at the first location or use the local DNS settings for the 2nd location?

The DNS Agent notes the existing DNS settings when the service starts as well as when connectivity status changes. When a system changes networks, the new connection is automatically accommodated, even when recovering from sleep and even if the SSID is the same. If the service is then stopped or uninstalled, the setting will be left correctly configured for the network.

Is it safe to add the agent onto all systems in a domain environment alongside the network part on the static IP as well? Any differences in

It is a best practice to install the DNS Agent as well as setup the network for DNS Protection. The DNS Agent will manage DNS requests directly and all devices on the network not running the agent will also be protected. The advantage to running the agent is that you have more granular control of policies and the DNS requests made by these systems are logged accordingly, whereas network based requests are attributed to the registered IP.

So I’m using this already for several of my clients, but what I haven’t figured out how to do is customize the block landing page with each client’s logo. I found the override page, but it makes it the same for all clients.

There is a single block page per console at this time. It is a feature we are looking to improve in the future.

Will there be a separate block page for DNS Protection blocks as well as regular Web Threat Shield blocks? It would definitely be helpful to be able to change the text in the middle of the block page. We support some high-net-worth clients that want IT support, so they would want malware and P2P etc. blocked, but they don’t have an “acceptable use policy.”

Currently there are two separate block pages, although only the DNS Protection Block Page is customizable. We are reviewing different options to evolve this page to add this type of customization.

Will alerting be added to send admins alerts if system xyz is visiting domains/IP’s based on their category?

Alerting for all products is being reviewed. This will include DNS Protection.

In Italy (and in Europe in general) you could get into trouble for spying on your employees if your reports show who searched what. Is there a way to disable those reports?

Yes, absolutely. There is a setting in the DNS Policy to “Hide User Information”. This obfuscates the username from the logs. The system name, domain and
 category are also effectively removed, although these are visible if a block is made based on security (username is always hidden).

Can it handle Citrix and remote desktop servers? Does it know which user was blocked?

Yes, the DNS Agent can be installed on RDS servers and will log user requests. Note that in order for the DNS Protection agent to function on servers you must enable server support under the site DNS tab.

What is the cost to MSPs for this DNS service?

As with endpoint security, DNS Protection is priced per device.

On domain controllers when installing the DNS agent, the IP for primary DNS is changed to loopback This causes issues with DC. We also have noticed some sites such as FedEx is affected.

The best practice is to protect servers through the network version of DNS protection (register the WAN IP and point your forwarders to Webroot’s resolvers). If you do install the DNS Agent on a server, the default behavior is for filtering to be disabled and the DNS settings will not be changed. If you do wish to use the agent on a server, you can enable Install on Servers in the advanced section of the DNS site configuration. It is not recommended to use the agent on DNS servers as it will conflict and cause DNS resolution problems.

In co-managed IT scenarios when the customer has their own IT Staff to help manage DNS Protection, is there custom DNS policies that can be configured at the Site Level by Site Admins?

Currently there is no visibility of the DNS settings from the endpoint console. This will become available for these customers at the global level in the future.

Many users have been receiving a DNS error page for a moment before a page loads. Is this a known issue being worked on?

This is an unusual occurrence. In our performance testing, we have found the DNS agent to improve page load speeds up to 25% due to the improved DNS query management. Please reach out to support if this issue persists and will help identify the cause.

What’s roughly the average time it takes when a DNS Protection change is made (override, policy change etc.) for it to propagate.

Many DNS changes happen very quickly, usually within five minutes. There are times when the system or browser cache can delay this especially if the original DNS request was fielded by a different DNS resolver with a long TTL set.

Can you quickly explain the Privacy settings Hide User Info, Local echo and Fail Open and what they mean?

1) Hide User Information - This obfuscates the username from the logs. The system name, domain and category are also effectively removed, although these avre visible if a block is made based on security (username is always hidden). 2) Local Echo - when a DNS request is received it is sent to the local resolvers as well as to Webroot. This provides visibility to the local DNS resolver for login purposes or for firewalls that control access based on DNS requests. Of note the response from the Webroot resolvers is the one used, the local one is generally disregarded. 3) Fail Open - Determines whether or not the local resolver is used as a backup to the Webroot resolvers.

How does the Webroot DNS Protection Agent handle DoH?

The Webroot resolvers support DoH as well as the standard DNS Protocol. The DNS Protection Agent leverages DoH for communication back to the Webroot resolvers. Alternate DoH providers are blocked to make sure that the DNS configuration, both local and DNS Protection, is enforced.

Do you have an agent for Android and iPhone?

Not today.

Does the new implementation allow for granular policy assignment per PC?

Each system running the DNS Protection Agent can be applied a unique policy as well as have overrides that are policy specific. This is generally an exception as standard policies usually are easier and more effective to manage.

Are we still able to modify policies per individual within the Entities page (former Groups) rather than the whole as a site?

Yes, the policy assignment function hasn’t changed.

Can you add subnets to the IP field? And how are Dynamic or CGNAT addresses handled?

Only individual IPs can be registered. Support for Dynamic IP addresses will be added in the near future.

Does Webroot DNS support IPv6?

Yes, both IPv4 and IPv6 are fully supported.

How does the protected VM still perform windows domain lookups? Further to this, how do you tell which local resolvers the client is using?

The DNS Protection agent works with virtual NICs as well as physical. The original DNS settings are visible in the logs or, if you stop the DNS Protection Agent service, the DNS settings will revert back allowing you to see what is configured (DHCP, static, etc.).

How does the protected VM still perform windows domain lookups?

If a VM has the DNS agent installed on it, DNS requests will be intercepted just like a conventional system. If the VM is using the network for DNS resolution, you can protect it through the network version of DNS Protection.

How to convince a customer that DNS Protection is worth paying for? What are the benefits beyond free services: Quad9, Cloudflare, OpenDNS?

DNS Protection has a number of advantages over any free service. The first is the quality of the intelligence. DNS Protection leverages Webroot’s BrightCloud which is industry-leading and dynamically maintained through a combination of machine learning and human input (currently 500 billion objects are processed each day to keep the data current). The second is that you control DNS for every system and not just the network. This protects the user no matter the network they are connected through (even their home). The third advantage is support for DoH. This not only encrypts their DNS requests to add privacy and security but also ensures the intelligence is applied and filtering is not circumvented even by rogue applications.

In relation to billing, if we only choose to filter the entire site, is that one license or is it still licensed per endpoint count?

You are billed based on a derived number of devices. This is calculated by totaling the number of DNS requests seen from an IP in 30 days and then divided by 75,000.


0 replies

Be the first to reply!