Webroot DNS - How is it working for you?

  • 26 February 2019
  • 48 replies
  • 1238 views

Userlevel 5
Badge +11
Hi All – I am the Product Manager for DNS Protection and my colleague @JonathanB and I are resident DNS evangelists and we are always interested in hearing from you on your experience with the product – good or bad!

It has been close to 2 years since we launched DNS Protection service to the market and I am happy to share that we received the highest rating by Expert Insights and we are seeing good steady adoption of the product. Webroot is committed to serving our SMB and MSP customers and bringing best in class Security offerings.

To recap, 2018 was a very busy year for us and I would like to highlight some key product enhancements that has driven our growth:
  • VPN support + IPv6 support (only vendor to support IPv6 for roaming clients)
  • Granular Policy Management enables support at Site, Group, and individual devices.
  • Stable, Hardened DNS client for roaming devices.
  • Powered by BrightCloud Threat Intelligence – Quality, Brand and Accuracy providing Real Time Threat Intelligence trusted by 90+ Technology partners

Didn’t catch these updates? You can always subscribe to our product release page to be notified of releases here.

I would love to hear from you! Please tell us a little bit about yourself and your experience with DNS Protection
  • About your business and drivers for DNS Protection?
  • How was your experience?
  • Ideas and questions about the product?

Looking forward to hearing from you.

48 replies

Userlevel 6
Badge +5
DNS Protect was the perfect solution for a client who takes care of handicapped adults. They live in separate houses and with DNS protection we were able to lock down the security on the individual computers without requiring a server for managment.
Userlevel 4
Badge +3
We've added this to our standard security stack.
Main problem is discussing with customers which specific categories to block beyond security risks, bit embarasing at times for them.
We've had great responses from brightcloud when asking for sites to be whitelisted. Have done this three times and get a fix within a day so very impressed, keeps our global whitelist small.

Often find pop up windows with the block page so its a good extra layer in my view as these are not requested normally by uses anyway.
Keep up the good work.
Userlevel 4
Badge +4
Hi Kiran,

It's fair to say that globally, DNS is a privacy & security weakness for everyone that uses DNS services.

I would certainly support an initiative where Webroot DNS product & roadmap brings enhancements to the privacy precautions.

Cheers,
Gareth
Badge +1
Hi Kiran,

We’ve been deploying DNS protection to customers for a few years now, but recently moved from Cisco Umbrella to Webtoot DNS.

For us it’s about adding a further ‘layer’ of security in order to better mitigate against the threats that exist in today’s dynamic threat landscape.

we originally started selling this as a separate line item in our stack, but eventually moved to just including it as part of our support as we don’t want to give our clients the option to opt out of something we see as a critical line of defence.

happy if anyone wants to follow up with me directly on this topic.

Thanks
Martin
Userlevel 4
Badge +6
We are an MSP serving exclusively dental offices.
It's mostly been fine, but we get conflicting advice from Webroot support about adding *.domain.local and domain.local to the bypass list or not.
We also found a few instances where Webroot DNS was stopping programs from running that the dental office relied on. When I asked support what exactly was being blocked, no one could tell me, they just showed me how the app worked fine with DNS off. We uninstalled the DNS agent from endpoints for those customers.
We had a few instances as well with BrightCloud marking sites unsafe or blocking them incorrectly. While BrightCloud support was quick to respond, it still took too long in the clients mind since it was blocking them from doing their jobs. Creating an exception for the site locally did not seem to work in removing the warning or block.

-Mike
Userlevel 4
Badge +8
I really like this product as it's intended purpose is clearly significant and critical. It has already helped/saved my customers many times over, and of course I like using it myself. I am now insisting that my customers use it on all their PC's.

In line with @GarethBrown's comment about privacy, the problem I'm facing is privacy with roaming users and management that take their laptops home and do not wish to be monitored. I realise that one can use the 'Network' level protection to overcome this, but unfortunately with a few of my customers, they have an ISP provided modem at work which does not allow you to change the DNS settings, so I'm stuck with just having to use DNSP agent which is then not ideal for those who wants privacy when they use their machine at home. This tends to be a problem with small businesses that use ISP provided modems that's locked down by their ISP's.

Because of the above issue, I'd like to see Webroot implement some sort of Privacy control feature (or as @GarethBrown own puts it, enhancements to the privacy precautions) that blocks access to us MSP's when roaming users use their laptop at home, so we cannot view or see their blocked pages when they are at home. This would be extremely helpful especially in terms of privacy for our customers. I realise that this could be quite a challenge to implement but it could be as simple as doing the following:

* Implement a feature that when a change in network is detected, that a DNSP alert message pops up on the PC and asks the user whether they are at 'HOME' or at 'WORK' or 'OFFSITE'. It also then needs a short Privacy statement that clearly indicates the privacy differences of each choice e.g. choosing at 'HOME' would state that they are still protected, but blocked sites would not be visible to their MSP, whereas when they choose at 'WORK', it would state that they would be protected with their work Policy and all blocked sites would be visible for analysis by their ISP. With OFFSITE, the MSP would need to have the choice to enforce the Privacy in accordance with their Work Policies.
* It also needs to be smart enough to detect when they are back at work, by recognising the internal and external IP ranges so that they cannot choose the at 'HOME' option to override the work policy. The GSM would need some setting where one can specify all the IP ranges from the 'WORK' Network. If conflicting home LAN IP ranges should occur, then it might be worth to implement a setting in the DNSP agent so that one PC or server on the work network can act as a 'WORK' network Identifier to more easily enforce the work policies when a PC is plugged back into the 'WORK' network.
* On the Admin side in the GSM, it would then be handy if we could create a policy for each 'Location' type, so the policies could be different for 'WORK', 'HOME' and 'OFFSITE'. In essence, it would great if Policies could switch automatically when there is a change in 'Location'. This would then also work well for VPN connections when management or employees work from home. If it detects that they connect back to the 'WORK' network through a VPN connection, then an alert should pop up notifying that the 'WORK' DNSP policies will be in effect and that a different Privacy policy is now in place.

Hope that makes sense. Privacy is a bit of an issue with this product, but non the less, it's essential.
Userlevel 7
Badge +8
We migrated to WebrootDNS just before Xmas and it went so well that after 2 weeks I forgot we had done it as all the problems and noise from Cisco Umbrella disappeared.
Userlevel 5
Badge +11
We've added this to our standard security stack.
Main problem is discussing with customers which specific categories to block beyond security risks, bit embarasing at times for them.
We've had great responses from brightcloud when asking for sites to be whitelisted. Have done this three times and get a fix within a day so very impressed, keeps our global whitelist small.

Often find pop up windows with the block page so its a good extra layer in my view as these are not requested normally by uses anyway.
Keep up the good work.


Thank you @FasteasyPhil for the kind note and great to hear your experience. I am with you abt the embarrassment or realization as I like to call it when clients see the types of sites they are going to ..:).
Userlevel 5
Badge +11
We migrated to WebrootDNS just before Xmas and it went so well that after 2 weeks I forgot we had done it as all the problems and noise from Cisco Umbrella disappeared.

Thanks so much @deanosborne .. really great to hear and thank you for your continued support.
Userlevel 5
Badge +11
We are an MSP serving exclusively dental offices.
It's mostly been fine, but we get conflicting advice from Webroot support about adding *.domain.local and domain.local to the bypass list or not.
We also found a few instances where Webroot DNS was stopping programs from running that the dental office relied on. When I asked support what exactly was being blocked, no one could tell me, they just showed me how the app worked fine with DNS off. We uninstalled the DNS agent from endpoints for those customers.
We had a few instances as well with BrightCloud marking sites unsafe or blocking them incorrectly. While BrightCloud support was quick to respond, it still took too long in the clients mind since it was blocking them from doing their jobs. Creating an exception for the site locally did not seem to work in removing the warning or block.

-Mike


Hello Mike -

I would like to work with you on this especially Intranet domains that you talked about. Can you please send me personal message with your email address. I will make sure this is addressed.

Thank you
-Kiran
Userlevel 5
Badge +11
DNS Protect was the perfect solution for a client who takes care of handicapped adults. They live in separate houses and with DNS protection we were able to lock down the security on the individual computers without requiring a server for managment.

Thank you @tmcmullen . Appreciate the support.
Userlevel 5
Badge +11
Hi Kiran,

It's fair to say that globally, DNS is a privacy & security weakness for everyone that uses DNS services.

I would certainly support an initiative where Webroot DNS product & roadmap brings enhancements to the privacy precautions.

Cheers,
Gareth



Hi @GarethBrown -

I would love to dig a little deeper on this topic and see what we can do here .. Could you please send me a personal message with your email?

Thank you
-Kiran
Userlevel 5
Badge +11
Hi Kiran,

We’ve been deploying DNS protection to customers for a few years now, but recently moved from Cisco Umbrella to Webtoot DNS.

For us it’s about adding a further ‘layer’ of security in order to better mitigate against the threats that exist in today’s dynamic threat landscape.

we originally started selling this as a separate line item in our stack, but eventually moved to just including it as part of our support as we don’t want to give our clients the option to opt out of something we see as a critical line of defence.

happy if anyone wants to follow up with me directly on this topic.

Thanks
Martin


Thank you @Martin070 . You hit it spot on .. the best success and value can be derived by including it as part of the stack.
Userlevel 5
Badge +11
I really like this product as it's intended purpose is clearly significant and critical. It has already helped/saved my customers many times over, and of course I like using it myself. I am now insisting that my customers use it on all their PC's.

In line with @GarethBrown's comment about privacy, the problem I'm facing is privacy with roaming users and management that take their laptops home and do not wish to be monitored. I realise that one can use the 'Network' level protection to overcome this, but unfortunately with a few of my customers, they have an ISP provided modem at work which does not allow you to change the DNS settings, so I'm stuck with just having to use DNSP agent which is then not ideal for those who wants privacy when they use their machine at home. This tends to be a problem with small businesses that use ISP provided modems that's locked down by their ISP's.

Because of the above issue, I'd like to see Webroot implement some sort of Privacy control feature (or as @GarethBrown own puts it, enhancements to the privacy precautions) that blocks access to us MSP's when roaming users use their laptop at home, so we cannot view or see their blocked pages when they are at home. This would be extremely helpful especially in terms of privacy for our customers. I realise that this could be quite a challenge to implement but it could be as simple as doing the following:

* Implement a feature that when a change in network is detected, that a DNSP alert message pops up on the PC and asks the user whether they are at 'HOME' or at 'WORK' or 'OFFSITE'. It also then needs a short Privacy statement that clearly indicates the privacy differences of each choice e.g. choosing at 'HOME' would state that they are still protected, but blocked sites would not be visible to their MSP, whereas when they choose at 'WORK', it would state that they would be protected with their work Policy and all blocked sites would be visible for analysis by their ISP. With OFFSITE, the MSP would need to have the choice to enforce the Privacy in accordance with their Work Policies.
* It also needs to be smart enough to detect when they are back at work, by recognising the internal and external IP ranges so that they cannot choose the at 'HOME' option to override the work policy. The GSM would need some setting where one can specify all the IP ranges from the 'WORK' Network. If conflicting home LAN IP ranges should occur, then it might be worth to implement a setting in the DNSP agent so that one PC or server on the work network can act as a 'WORK' network Identifier to more easily enforce the work policies when a PC is plugged back into the 'WORK' network.
* On the Admin side in the GSM, it would then be handy if we could create a policy for each 'Location' type, so the policies could be different for 'WORK', 'HOME' and 'OFFSITE'. In essence, it would great if Policies could switch automatically when there is a change in 'Location'. This would then also work well for VPN connections when management or employees work from home. If it detects that they connect back to the 'WORK' network through a VPN connection, then an alert should pop up notifying that the 'WORK' DNSP policies will be in effect and that a different Privacy policy is now in place.

Hope that makes sense. Privacy is a bit of an issue with this product, but non the less, it's essential.


@remote-it Thank you for the details. I would like to work with you guys to understand this better and have an option of anoymizing if that would work. Would you and @GarethBrown be open to a call with me and @JonathanB ? Please PM me your email address.

Thanks
-Kiran
Userlevel 4
Badge +8
Thanks @kkumar, I've sent you a PM as requested.
Userlevel 4
Badge +3

We've added this to our standard security stack.
Main problem is discussing with customers which specific categories to block beyond security risks, bit embarasing at times for them.
We've had great responses from brightcloud when asking for sites to be whitelisted. Have done this three times and get a fix within a day so very impressed, keeps our global whitelist small.

Often find pop up windows with the block page so its a good extra layer in my view as these are not requested normally by uses anyway.
Keep up the good work.
Thank you @FasteasyPhil for the kind note and great to hear your experience. I am with you abt the embarrassment or realization as I like to call it when clients see the types of sites they are going to ..:).



Our most requested exemption when people have the recommended non business categories is gambling, when customers suddenly realise they cant get to the national lottery / postcode lottery numbers pages.
Userlevel 4
Badge +4
Happy to contribute, you have my details 😎
Userlevel 4
Badge +7
I have only just started to roll this product out and I have not had good results so far. I have just had to roll it back from a site with 117 endpoints as it was changing the computers DNS to 127.0.0.1 and as such killing all internet connectivity. Given this is a 100% Citrix site that meant it killed productivity for the whole office. I read the forums and it was my interpretation that this particular issue was caused by the NIC not initialising before the DNS service started and that this was resolved months ago, I guess not.
I have a couple of other smaller sites that have not complained of this issue at all so for me it is a mixed bag. I am certainly putting my rollout of this on hold as I am not confident in the product as it stands. I have 158 sites in my GSM so I need to be confident in the product so I don't create a widespread negative impact.
Andrew
Userlevel 5
Badge +11
Hello @Crossy .. I am sorry you had a bad experience as with CITRIX it can be quite challenging due to virtual adapters in play. With that said, I would like the opportunity to work with you to get this sorted. Could you please send me a pvt message with your email and I will have our support escalation Eng and dev. team to see what we can do.

Thanks
-Kiran
Badge +1
Hi KKumar,

Im currently trialing the product and so far it seems quite impressive.
However there are two areas were I feel the system lets itself down, 1 of which is reporting which has been mentioned previously I know that a API exists but more reports should be build into the dashboard instead of looking at custom API software.

Secondly it could do with more options around timing i.e. we would very much like to block certain websites during working hours but free them up over lunchtime for example. i.e. block youtube 9-1 but allow it from 1-2. I know this would be quite difficult to implement due to the nature of DNS, but it would still be a welcome feature and may help with new customers getting buy in from employees.

Just my 2 cents
Thanks
Userlevel 5
Badge +11
Hi KKumar,

Im currently trialing the product and so far it seems quite impressive.
However there are two areas were I feel the system lets itself down, 1 of which is reporting which has been mentioned previously I know that a API exists but more reports should be build into the dashboard instead of looking at custom API software.

Secondly it could do with more options around timing i.e. we would very much like to block certain websites during working hours but free them up over lunchtime for example. i.e. block youtube 9-1 but allow it from 1-2. I know this would be quite difficult to implement due to the nature of DNS, but it would still be a welcome feature and may help with new customers getting buy in from employees.

Just my 2 cents
Thanks


Hi @SamuelCampbellGA -

Thank you v. much for your response. Definitely appreciate your feedback and we are listening and will be happy to provide options as appropriate:

  • For #1) I do have some options for you that I think will work v. well. Lot of our large customers are using it. Can you please private message me your email and I'll get that started
  • For #2) This is a classic "proxy" productivity use case and you are abs. right that DNS is inherently not built but if you are open for running some shell scripts, let me know and we can work with you to accomplish that.
Thanks
-Kiran
Userlevel 1
Badge +6
Honestly our experience hasn't been great. We're an MSP and we're using this with the hope of having a managed DNS offering for our clients as we haven't used one up until now.

Since deploying we're having struggles with it. We have problems where techs go onsite to clients and can't get at the internet. Disbling Webroot DNS always solves the issue.

Another example is today, I updated my Windows 10 to the latest 1903 feature update and after rebooting, my machine would not connect to the internet or our domain. I have do disable Webroot DNS to get this to work again.

We're not having problems all the time but it's frequent enough that we're getting frustrated with the product.

We believe there may be times where we're in tightly secured areas and the custom ports Webroot requires are not open. In those situations, it reverts back to our previously set DNS which was from our internal network and won't work when at a different site. That seems to be a bad design. To me it should revert to Dynamic DNS and then prompt the user with a warning that they're not protected. I'm worried if we start deploying this to client machiness we're going to be getting a lot of clients complaining with issues.
Userlevel 5
Badge +11
Honestly our experience hasn't been great. We're an MSP and we're using this with the hope of having a managed DNS offering for our clients as we haven't used one up until now.

Since deploying we're having struggles with it. We have problems where techs go onsite to clients and can't get at the internet. Disbling Webroot DNS always solves the issue.

Another example is today, I updated my Windows 10 to the latest 1903 feature update and after rebooting, my machine would not connect to the internet or our domain. I have do disable Webroot DNS to get this to work again.

We're not having problems all the time but it's frequent enough that we're getting frustrated with the product.

We believe there may be times where we're in tightly secured areas and the custom ports Webroot requires are not open. In those situations, it reverts back to our previously set DNS which was from our internal network and won't work when at a different site. That seems to be a bad design. To me it should revert to Dynamic DNS and then prompt the user with a warning that they're not protected. I'm worried if we start deploying this to client machiness we're going to be getting a lot of clients complaining with issues.


Hi @avdlaan -

I am sorry to hear that you are not seeing consistent behavior. I would like to work with you to help resolve this .. could you please send me a personal mesg with your email and we can get this resolved.

Thanks
-Kiran
Userlevel 1
Badge +6
could you please send me a personal mesg with your email and we can get this resolved.

Thanks
-Kiran


Done.
Badge +1
Hi Kiran,

When are Site Only Admins going to have the ability to manage DNS settings in the GSM? This is becoming a real hassle for our team.

Thanks,
Alex

Reply