BETA

DNS Leak Prevention Beta

  • 12 September 2023
  • 13 replies
  • 653 views
DNS Leak Prevention Beta
Userlevel 3
Badge +7

We are very pleased to announce the launch of the DNS Leak Prevention Beta. This is an opportunity for us to share with you the feature we are about to release, as well as to solicit feedback, both from a technical and functionality perspective.

 

Download the Beta Runner here.

Documentation available here.

 

What is DNS Leak Prevention?

 

This is a new patent pending feature of the Webroot DNS Protection product. It is designed to provide control of DNS by blocking all alternate DNS resources aside from those configured in Webroot DNS Protection. This is done by locking down port 53 TCP and UDP (DNS), port 853 TCP (DNS over TLS), and port 443 TCP to known DoH providers.

 

Why are we creating DNS Leak Prevention?

 

As Webroot DNS Protection is a DNS filtering product, if we are not filtering every DNS request, it means that things are being missed. For example, if a web browser were to be configured to get DNS resolution directly from its own server, and disregard what was configured on the operating system, not only would the DNS resolution not be filtered, it would not be controlled nor logged, and not be provided by an approved resolver.

 

How does DNS Leak Prevention work?

 

DNS Leak Prevention functions on the DNS Protection agent and provides Policy settings to selectively block communication on port 53 (DNS), port 853 (DoT), and port 443 (DoH).

 

What do I need to participate in the Beta?

 

You do not need to be a Webroot customer to access the Beta. However, you will need to establish a trial if you do not already have a DNS Protection license. More information on establishing a trial can be found in the documentation.

Once you have an active license of Webroot DNS Protection, you will need to download and install the Beta Runner. This is a fast and very lightweight mechanism that will both manage the install of the DNS Protection agent, as well as configure the DNS Leak Prevention settings (please note that the Beta Runner will no longer be needed once the feature is fully released).

 

How to Provide Feedback:

 

Inside the Beta Runner is a Feedback button. This will allow you to submit logs from the Beta as well as add comments. Please note that upon exit, the Beta Runner will also upload the logs that were generated while testing.

 

We look forward to your feedback and suggestions!

 

 

What will Happen when the Beta Completes?

 

The installed Beta version of the DNS Protection agent will automatically update to the current production release. The setting controlled by the Beta Runner will no longer apply. If you no longer wish to run the DNS Protection agent after the Beta, it can be uninstalled through the Beta Runner or through Add/Remove Programs.

It is recommended to uninstall the Beta Runner after the Beta completes – although leaving it installed will not cause any issues.

 


13 replies

Userlevel 3
Badge +7

There is an opportunity for feedback provided in the Beta Runner. I will also be paying attention to this thread, so please add any suggestions, feedback or anything else I can help with here. Have fun everyone!  

Userlevel 7
Badge +33

Got this installed already. Kinda buggy, but seems to do the job. 

Does the Runner need to be left open or does it continue to run if I close the window?

 

John H

Userlevel 3
Badge +7

@jhartnerd123  - The Beta Runner does not need to be running for the DNS Leak Prevention functionality to persist. Of note, the DNS Protection Agent service defaults to manual in the beta, so if you want it to startup automatically upon reboot, you may want to toggle it to automatic.

 



Hopefully not too buggy even if it is a beta. Any quirks I should know about?

Userlevel 7
Badge +33

@JonathanB 
 

Agent v4.2.0.591 is the beta agent correct?

That might almost be left to a day where we can chat over Teams/Zoom or a remote session.

What’s the expected behavior when, say an app (say FireFox browser set to use DoH) (or a VPN app that has a setting to use it’s own DNS) attempts to use it’s settings? Simply not function??? or.. .will Leak Prevention/DNS Agent take over and perform resolution. 

John H

Userlevel 3
Badge +7

Leak Prevention does not try to intercept 443, but rather blocks it, so this really depends on the application. For instance, Firefox has an option where if DoH does not resolve, it reverts back to you original DNS settings or stops resolving completely and displays an error.

Agent 4.2.0.591 is the current beta - noted in the Beta Runner but not called out in add/remove programs.

 

I am always available to chat and run through the functionality!
 

Userlevel 7
Badge +33

K, Let’s setup a time in the near future to chat. 

John H

Userlevel 7
Badge +25

Windows only it looks like. Are there plans to protect DNS on Mac? Or Linux? 

Userlevel 3
Badge +7

Windows only it looks like. Are there plans to protect DNS on Mac? Or Linux? 

 

Good question! We are discussing whether this will be part of the Mac agent when it releases. Based on some of the new features we are looking at for DNS Protection, I expect it to be an integral component - especially as Macs face similar challenges with DoH and control of DNS.

In regards to Linux, we don’t currently have a remote agent planned. Anything is possible, but at this time, it is not a top priority.

Userlevel 3
Badge +7

Big update today as we approach the completion of the beta!

  1. We have updated the Webroot Management Console in anticipation of the DNS Leak Prevention release. New versions of the agent starting 4.2.0.609 will now reference the Console for their configuration. This does mean that settings in the Beta Runner will no longer be honored – although it can still be used for installation, testing, service management, and feedback.
  2. There have been a number of bug fixes along the way based on your testing. The most recent addressed an issue when resuming from Standby / Hibernate when connected to guest Wi-Fi with a Captive Portal (the logon screen for guest Wi-Fi). @jhartnerd123  for identifying this one!

 

Our expectation is that the beta will wrap up shortly - I will update this thread once it does. Thanks Everyone! 

 

Screenshot from the Webroot Management Console:


 

Userlevel 7
Badge +33

This is awesome @JonathanB .


So glad to help with all the testing of this great service. Keep it coming bud. MAC OS agent, and the further enhancements to this.

WOOT!!!

 

John H

Userlevel 7
Badge +25

Congrats on the big update. I'll be patiently waiting to Beta this on my Mac one day. Do let me know when that happens and I'll start testing immediately!  Cheers

Userlevel 3
Badge +7

Congrats on the big update. I'll be patiently waiting to Beta this on my Mac one day. Do let me know when that happens and I'll start testing immediately!  Cheers

 

Thanks! Before the Mac agent releases, I will definitely create a Community post with beta information. My expectation is that you will not only be able to test the Mac agent, you will also get a chance to play with DNS LP at the same time!

 

Userlevel 7
Badge +25

OK. That sounds fantastic. Thank you Jonathan

Reply