Webroot DNS - How is it working for you?

  • 26 February 2019
  • 48 replies
  • 1222 views

Userlevel 5
Badge +11
Hi All – I am the Product Manager for DNS Protection and my colleague @JonathanB and I are resident DNS evangelists and we are always interested in hearing from you on your experience with the product – good or bad!

It has been close to 2 years since we launched DNS Protection service to the market and I am happy to share that we received the highest rating by Expert Insights and we are seeing good steady adoption of the product. Webroot is committed to serving our SMB and MSP customers and bringing best in class Security offerings.

To recap, 2018 was a very busy year for us and I would like to highlight some key product enhancements that has driven our growth:
  • VPN support + IPv6 support (only vendor to support IPv6 for roaming clients)
  • Granular Policy Management enables support at Site, Group, and individual devices.
  • Stable, Hardened DNS client for roaming devices.
  • Powered by BrightCloud Threat Intelligence – Quality, Brand and Accuracy providing Real Time Threat Intelligence trusted by 90+ Technology partners

Didn’t catch these updates? You can always subscribe to our product release page to be notified of releases here.

I would love to hear from you! Please tell us a little bit about yourself and your experience with DNS Protection
  • About your business and drivers for DNS Protection?
  • How was your experience?
  • Ideas and questions about the product?

Looking forward to hearing from you.

48 replies

Userlevel 6
Badge +5
DNS Protect was the perfect solution for a client who takes care of handicapped adults. They live in separate houses and with DNS protection we were able to lock down the security on the individual computers without requiring a server for managment.
Userlevel 4
Badge +2
We've added this to our standard security stack.
Main problem is discussing with customers which specific categories to block beyond security risks, bit embarasing at times for them.
We've had great responses from brightcloud when asking for sites to be whitelisted. Have done this three times and get a fix within a day so very impressed, keeps our global whitelist small.

Often find pop up windows with the block page so its a good extra layer in my view as these are not requested normally by uses anyway.
Keep up the good work.
Userlevel 5
Badge +11
Hi Kiran,

When are Site Only Admins going to have the ability to manage DNS settings in the GSM? This is becoming a real hassle for our team.

Thanks,
Alex


Understand your concern Alex. We are looking at simplifying and modifying the Access control side of things.. I would like to hear about your specific requests, ie: As a Site Admin, what are all the DNS and SAT features are you interested in having WRITE ability on.

Thanks
-Kiran
Userlevel 5
Badge +11
Hi KKumar,

Im currently trialing the product and so far it seems quite impressive.
However there are two areas were I feel the system lets itself down, 1 of which is reporting which has been mentioned previously I know that a API exists but more reports should be build into the dashboard instead of looking at custom API software.

Secondly it could do with more options around timing i.e. we would very much like to block certain websites during working hours but free them up over lunchtime for example. i.e. block youtube 9-1 but allow it from 1-2. I know this would be quite difficult to implement due to the nature of DNS, but it would still be a welcome feature and may help with new customers getting buy in from employees.

Just my 2 cents
Thanks


Hi @SamuelCampbellGA -

Thank you v. much for your response. Definitely appreciate your feedback and we are listening and will be happy to provide options as appropriate:

  • For #1) I do have some options for you that I think will work v. well. Lot of our large customers are using it. Can you please private message me your email and I'll get that started
  • For #2) This is a classic "proxy" productivity use case and you are abs. right that DNS is inherently not built but if you are open for running some shell scripts, let me know and we can work with you to accomplish that.
Thanks
-Kiran
Userlevel 7
Badge +63

@marvizon are you a Consumer or a Business user? This thread is for Business users that use Webroot’s DNS service.

 

Thanks,

Userlevel 2
Badge +15
I have only just started to roll this product out and I have not had good results so far. I have just had to roll it back from a site with 117 endpoints as it was changing the computers DNS to 127.0.0.1 and as such killing all internet connectivity. Given this is a 100% Citrix site that meant it killed productivity for the whole office. I read the forums and it was my interpretation that this particular issue was caused by the NIC not initialising before the DNS service started and that this was resolved months ago, I guess not.
I have a couple of other smaller sites that have not complained of this issue at all so for me it is a mixed bag. I am certainly putting my rollout of this on hold as I am not confident in the product as it stands. I have 158 sites in my GSM so I need to be confident in the product so I don't create a widespread negative impact.
AndrewHonestly our experience hasn't been great. We're an MSP and we're using this with the hope of having a managed DNS offering for our clients as we haven't used one up until now.

Since deploying we're having struggles with it. We have problems where techs go onsite to clients and can't get at the internet. Disbling Webroot DNS always solves the issue.

Another example is today, I updated my Windows 10 to the latest 1903 feature update and after rebooting, my machine would not connect to the internet or our domain. I have do disable Webroot DNS to get this to work again.

We're not having problems all the time but it's frequent enough that we're getting frustrated with the product.

We believe there may be times where we're in tightly secured areas and the custom ports Webroot requires are not open. In those situations, it reverts back to our previously set DNS which was from our internal network and won't work when at a different site. That seems to be a bad design. To me it should revert to Dynamic DNS and then prompt the user with a warning that they're not protected. I'm worried if we start deploying this to client machiness we're going to be getting a lot of clients complaining with issues.



Good to hear others are still facing similar issues with the DNS client. The site I manage sees this from time to time as-well across some of our machines. I also see this: The NIC reports no internet connectivity at times (yellow exclamation in taskbar :: 'No internet access' status) but yet there is actually Internet. (Can ping 1.1.1.1, ping google.ca, etc aswell as navigate to Internet based sites from the machine).

If I disable the agent or restart DNS by re-applying "Automatic DNS configuration" it seems to fix the issue (but not permanently).

 

Wow, these issues are still occurring? They’ve been plaguing WebRoot DNS since the beginning, and quickly drove me to another vendor. There are rock solid solutions available for less money. WebRoot would be wise to stay out of the DNS game and focus on what they know. DNS filtering has not worked out well for them.

Userlevel 4
Badge +2

We've added this to our standard security stack.
Main problem is discussing with customers which specific categories to block beyond security risks, bit embarasing at times for them.
We've had great responses from brightcloud when asking for sites to be whitelisted. Have done this three times and get a fix within a day so very impressed, keeps our global whitelist small.

Often find pop up windows with the block page so its a good extra layer in my view as these are not requested normally by uses anyway.
Keep up the good work.
Thank you @FasteasyPhil for the kind note and great to hear your experience. I am with you abt the embarrassment or realization as I like to call it when clients see the types of sites they are going to ..:).



Our most requested exemption when people have the recommended non business categories is gambling, when customers suddenly realise they cant get to the national lottery / postcode lottery numbers pages.
Userlevel 4
Badge +7
I have only just started to roll this product out and I have not had good results so far. I have just had to roll it back from a site with 117 endpoints as it was changing the computers DNS to 127.0.0.1 and as such killing all internet connectivity. Given this is a 100% Citrix site that meant it killed productivity for the whole office. I read the forums and it was my interpretation that this particular issue was caused by the NIC not initialising before the DNS service started and that this was resolved months ago, I guess not.
I have a couple of other smaller sites that have not complained of this issue at all so for me it is a mixed bag. I am certainly putting my rollout of this on hold as I am not confident in the product as it stands. I have 158 sites in my GSM so I need to be confident in the product so I don't create a widespread negative impact.
Andrew
Userlevel 2
Badge +8
Chiming in to add a solution for the issues in my last two posts. The following group policy change has *so far* (knocks on wood) solved all of my issues with the DNS client on the pilot PC's I've tested with.

It appears the issues all boiled back to a problem with the PC's not behaving correctly when the DNS settings are configured for the local loop back interface. From what I understand, this GP change enables/better facilitates handling DNS over the local loopback address. (127.0.0.1)

Note: You will need administrative rights.

Hit the Windows key on your keyboard, begin typing "Group Policy".

Select the following result:



Navigate through the GP tree as follows:

Computer Configuration
- Administrator Templates
-- Network
--- Network Connectivity Status Indicator

Change it from Not Configured (or Disabled) to Enabled.
Ensure the "Use global DNS" checkbox is also selected.

Apply and OK.

Reboot PC to ensure changes take effect.

Userlevel 2
Badge +6
Honestly our experience hasn't been great. We're an MSP and we're using this with the hope of having a managed DNS offering for our clients as we haven't used one up until now.

Since deploying we're having struggles with it. We have problems where techs go onsite to clients and can't get at the internet. Disbling Webroot DNS always solves the issue.

Another example is today, I updated my Windows 10 to the latest 1903 feature update and after rebooting, my machine would not connect to the internet or our domain. I have do disable Webroot DNS to get this to work again.

We're not having problems all the time but it's frequent enough that we're getting frustrated with the product.

We believe there may be times where we're in tightly secured areas and the custom ports Webroot requires are not open. In those situations, it reverts back to our previously set DNS which was from our internal network and won't work when at a different site. That seems to be a bad design. To me it should revert to Dynamic DNS and then prompt the user with a warning that they're not protected. I'm worried if we start deploying this to client machiness we're going to be getting a lot of clients complaining with issues.
Badge +1
Hi Kiran,

When are Site Only Admins going to have the ability to manage DNS settings in the GSM? This is becoming a real hassle for our team.

Thanks,
Alex
Badge +1

I am having a lot of issues with the DNS agent since the latest Windows 10 update. The DnsProxyAgent service keeps stopping, and when raoming users leave the corporate network they now have no internet access (no DNS resolution) which also breaks our RMM agent and TeamViewer from “calling home”, so we can’t even remote to the machines to fix them. We have to call the customer user and walk them through starting the service from a command prompt. This is not practical from a support standpoint, and we are now evaluating Cisco Umbrella MSP as a possible replacement.

Userlevel 5
Badge +11

Hello @WanderingAround  - I think I know what is going on here. Please hold off before you go an alternate route and give us an opportunity. 

 

So, do you notice an icon that says “Internet is not available” on the machine where you can’t access O365, etc? In reality you do have Internet but its actually MSFT thats unable to reach its DNS verification domain. If I could please send me your email privately, etc I will personally connect you with Support and get this resolved swiftly. 

Appreciate the reach out. 

 

Thanks

-Kiran

Dave, 

I could use your help.  I like Webroot, but the DNS protection has not work successfully for me.  We are an MSP and was looking to add the DNS Protection as an offering.  First site with 80+ nodes and constantly have to stop Webroot DNS protection and enable auto dhcp.  DNS blocks VPN traffic to network drives that should be excluded by the network name.  Then the computer will be blocked from all DNS request.  HELP!!!!  Customer has started asking for removal of software.

Badge +1
We have one site that has rolled out DNS protection to 10% of their endpoints as a trial. 6 of the endpoints will not adopt the assigned DNS policy, have reduced protection as a result, and are showing a generic/non-branded block page instead of the client's custom block page.

Not a great first look for us.
Userlevel 4
Badge +4
Hi Kiran,

It's fair to say that globally, DNS is a privacy & security weakness for everyone that uses DNS services.

I would certainly support an initiative where Webroot DNS product & roadmap brings enhancements to the privacy precautions.

Cheers,
Gareth
Badge +1
Hi Kiran,

We’ve been deploying DNS protection to customers for a few years now, but recently moved from Cisco Umbrella to Webtoot DNS.

For us it’s about adding a further ‘layer’ of security in order to better mitigate against the threats that exist in today’s dynamic threat landscape.

we originally started selling this as a separate line item in our stack, but eventually moved to just including it as part of our support as we don’t want to give our clients the option to opt out of something we see as a critical line of defence.

happy if anyone wants to follow up with me directly on this topic.

Thanks
Martin
Userlevel 4
Badge +6
We are an MSP serving exclusively dental offices.
It's mostly been fine, but we get conflicting advice from Webroot support about adding *.domain.local and domain.local to the bypass list or not.
We also found a few instances where Webroot DNS was stopping programs from running that the dental office relied on. When I asked support what exactly was being blocked, no one could tell me, they just showed me how the app worked fine with DNS off. We uninstalled the DNS agent from endpoints for those customers.
We had a few instances as well with BrightCloud marking sites unsafe or blocking them incorrectly. While BrightCloud support was quick to respond, it still took too long in the clients mind since it was blocking them from doing their jobs. Creating an exception for the site locally did not seem to work in removing the warning or block.

-Mike
Userlevel 4
Badge +8
I really like this product as it's intended purpose is clearly significant and critical. It has already helped/saved my customers many times over, and of course I like using it myself. I am now insisting that my customers use it on all their PC's.

In line with @GarethBrown's comment about privacy, the problem I'm facing is privacy with roaming users and management that take their laptops home and do not wish to be monitored. I realise that one can use the 'Network' level protection to overcome this, but unfortunately with a few of my customers, they have an ISP provided modem at work which does not allow you to change the DNS settings, so I'm stuck with just having to use DNSP agent which is then not ideal for those who wants privacy when they use their machine at home. This tends to be a problem with small businesses that use ISP provided modems that's locked down by their ISP's.

Because of the above issue, I'd like to see Webroot implement some sort of Privacy control feature (or as @GarethBrown own puts it, enhancements to the privacy precautions) that blocks access to us MSP's when roaming users use their laptop at home, so we cannot view or see their blocked pages when they are at home. This would be extremely helpful especially in terms of privacy for our customers. I realise that this could be quite a challenge to implement but it could be as simple as doing the following:

* Implement a feature that when a change in network is detected, that a DNSP alert message pops up on the PC and asks the user whether they are at 'HOME' or at 'WORK' or 'OFFSITE'. It also then needs a short Privacy statement that clearly indicates the privacy differences of each choice e.g. choosing at 'HOME' would state that they are still protected, but blocked sites would not be visible to their MSP, whereas when they choose at 'WORK', it would state that they would be protected with their work Policy and all blocked sites would be visible for analysis by their ISP. With OFFSITE, the MSP would need to have the choice to enforce the Privacy in accordance with their Work Policies.
* It also needs to be smart enough to detect when they are back at work, by recognising the internal and external IP ranges so that they cannot choose the at 'HOME' option to override the work policy. The GSM would need some setting where one can specify all the IP ranges from the 'WORK' Network. If conflicting home LAN IP ranges should occur, then it might be worth to implement a setting in the DNSP agent so that one PC or server on the work network can act as a 'WORK' network Identifier to more easily enforce the work policies when a PC is plugged back into the 'WORK' network.
* On the Admin side in the GSM, it would then be handy if we could create a policy for each 'Location' type, so the policies could be different for 'WORK', 'HOME' and 'OFFSITE'. In essence, it would great if Policies could switch automatically when there is a change in 'Location'. This would then also work well for VPN connections when management or employees work from home. If it detects that they connect back to the 'WORK' network through a VPN connection, then an alert should pop up notifying that the 'WORK' DNSP policies will be in effect and that a different Privacy policy is now in place.

Hope that makes sense. Privacy is a bit of an issue with this product, but non the less, it's essential.
Userlevel 7
Badge +8
We migrated to WebrootDNS just before Xmas and it went so well that after 2 weeks I forgot we had done it as all the problems and noise from Cisco Umbrella disappeared.
Userlevel 5
Badge +11
We've added this to our standard security stack.
Main problem is discussing with customers which specific categories to block beyond security risks, bit embarasing at times for them.
We've had great responses from brightcloud when asking for sites to be whitelisted. Have done this three times and get a fix within a day so very impressed, keeps our global whitelist small.

Often find pop up windows with the block page so its a good extra layer in my view as these are not requested normally by uses anyway.
Keep up the good work.


Thank you @FasteasyPhil for the kind note and great to hear your experience. I am with you abt the embarrassment or realization as I like to call it when clients see the types of sites they are going to ..:).
Userlevel 2
Badge +15
We are an MSP serving exclusively dental offices.
It's mostly been fine, but we get conflicting advice from Webroot support about adding *.domain.local and domain.local to the bypass list or not.
We also found a few instances where Webroot DNS was stopping programs from running that the dental office relied on. When I asked support what exactly was being blocked, no one could tell me, they just showed me how the app worked fine with DNS off. We uninstalled the DNS agent from endpoints for those customers.
We had a few instances as well with BrightCloud marking sites unsafe or blocking them incorrectly. While BrightCloud support was quick to respond, it still took too long in the clients mind since it was blocking them from doing their jobs. Creating an exception for the site locally did not seem to work in removing the warning or block.

-Mike

 

Less expensive DNS filtering with better reporting and firsthand ability to whitelist (instead of submitting a request to a third party) is readily available from other vendors. Other solutions offer the ability for users to submit whitelist requests directly to you (the IT provider and DNS filtering reseller), and you can whitelist and have it in effect in 1 to 2 minutes. I currently pay $5 for up to 1 million DNS requests regardless of the number of clients. If I were using WebRoot’s solution at $1.60 per device, over twice as much with my current DNS client base.  

Userlevel 5
Badge +11
We migrated to WebrootDNS just before Xmas and it went so well that after 2 weeks I forgot we had done it as all the problems and noise from Cisco Umbrella disappeared.

Thanks so much @deanosborne .. really great to hear and thank you for your continued support.
Userlevel 5
Badge +11
We are an MSP serving exclusively dental offices.
It's mostly been fine, but we get conflicting advice from Webroot support about adding *.domain.local and domain.local to the bypass list or not.
We also found a few instances where Webroot DNS was stopping programs from running that the dental office relied on. When I asked support what exactly was being blocked, no one could tell me, they just showed me how the app worked fine with DNS off. We uninstalled the DNS agent from endpoints for those customers.
We had a few instances as well with BrightCloud marking sites unsafe or blocking them incorrectly. While BrightCloud support was quick to respond, it still took too long in the clients mind since it was blocking them from doing their jobs. Creating an exception for the site locally did not seem to work in removing the warning or block.

-Mike


Hello Mike -

I would like to work with you on this especially Intranet domains that you talked about. Can you please send me personal message with your email address. I will make sure this is addressed.

Thank you
-Kiran
Badge +1

Kiran,

We use your secure DNS and it has worked pretty well for me so far. I am just using the basic medium protection with a few exceptions. We have not implemented anything advanced yet. With that said I have found what I believe could be a major flaw in process. When your product is down or suffers from degraded performance, you customers should be actively alerted of this issue. Its nice that you have a status monitor available but an email or sms message to your customer would prevent cost incurred by lost productivity and employee frustrations. I would love to see that implemented. I believe that would prevent hours of end users reporting issues to internal IT departments that eventually get passed up to network and system engineers to investigate that may take another couple of hours.

Just a suggestion that I would love to see to improve your product.

Justin

Reply