Webroot DNS - How is it working for you?

DNS Protect was the perfect solution for a client who takes care of handicapped adults. They live in separate houses and with DNS protection we were able to lock down the security on the individual computers without requiring a server for managment.

Hi Kiran,

When are Site Only Admins going to have the ability to manage DNS settings in the GSM? This is becoming a real hassle for our team.

Thanks,
Alex

Understand your concern Alex. We are looking at simplifying and modifying the Access control side of things.. I would like to hear about your specific requests, ie: As a Site Admin, what are all the DNS and SAT features are you interested in having WRITE ability on.

Thanks
-Kiran

@marvizon are you a Consumer or a Business user? This thread is for Business users that use Webroot’s DNS service.

 

Thanks,

We've added this to our standard security stack.
Main problem is discussing with customers which specific categories to block beyond security risks, bit embarasing at times for them.
We've had great responses from brightcloud when asking for sites to be whitelisted. Have done this three times and get a fix within a day so very impressed, keeps our global whitelist small.

Often find pop up windows with the block page so its a good extra layer in my view as these are not requested normally by uses anyway.
Keep up the good work.Thank you @FasteasyPhil for the kind note and great to hear your experience. I am with you abt the embarrassment or realization as I like to call it when clients see the types of sites they are going to ..:).


Our most requested exemption when people have the recommended non business categories is gambling, when customers suddenly realise they cant get to the national lottery / postcode lottery numbers pages.

Chiming in to add a solution for the issues in my last two posts. The following group policy change has *so far* (knocks on wood) solved all of my issues with the DNS client on the pilot PC's I've tested with.

It appears the issues all boiled back to a problem with the PC's not behaving correctly when the DNS settings are configured for the local loop back interface. From what I understand, this GP change enables/better facilitates handling DNS over the local loopback address. (127.0.0.1)

Note: You will need administrative rights.

Hit the Windows key on your keyboard, begin typing "Group Policy".

Select the following result:

Navigate through the GP tree as follows:

Computer Configuration
- Administrator Templates
-- Network
--- Network Connectivity Status Indicator

Change it from Not Configured (or Disabled) to Enabled.
Ensure the "Use global DNS" checkbox is also selected.

Apply and OK.

Reboot PC to ensure changes take effect.

Hi Kiran,

When are Site Only Admins going to have the ability to manage DNS settings in the GSM? This is becoming a real hassle for our team.

Thanks,
Alex

Hello @WanderingAround  - I think I know what is going on here. Please hold off before you go an alternate route and give us an opportunity. 

 

So, do you notice an icon that says “Internet is not available” on the machine where you can’t access O365, etc? In reality you do have Internet but its actually MSFT thats unable to reach its DNS verification domain. If I could please send me your email privately, etc I will personally connect you with Support and get this resolved swiftly. 

Appreciate the reach out. 

 

Thanks

-Kiran

We have one site that has rolled out DNS protection to 10% of their endpoints as a trial. 6 of the endpoints will not adopt the assigned DNS policy, have reduced protection as a result, and are showing a generic/non-branded block page instead of the client's custom block page.

Not a great first look for us.

Hi Kiran,

We’ve been deploying DNS protection to customers for a few years now, but recently moved from Cisco Umbrella to Webtoot DNS.

For us it’s about adding a further ‘layer’ of security in order to better mitigate against the threats that exist in today’s dynamic threat landscape.

we originally started selling this as a separate line item in our stack, but eventually moved to just including it as part of our support as we don’t want to give our clients the option to opt out of something we see as a critical line of defence.

happy if anyone wants to follow up with me directly on this topic.

Thanks
Martin

I really like this product as it's intended purpose is clearly significant and critical. It has already helped/saved my customers many times over, and of course I like using it myself. I am now insisting that my customers use it on all their PC's.

In line with @GarethBrown's comment about privacy, the problem I'm facing is privacy with roaming users and management that take their laptops home and do not wish to be monitored. I realise that one can use the 'Network' level protection to overcome this, but unfortunately with a few of my customers, they have an ISP provided modem at work which does not allow you to change the DNS settings, so I'm stuck with just having to use DNSP agent which is then not ideal for those who wants privacy when they use their machine at home. This tends to be a problem with small businesses that use ISP provided modems that's locked down by their ISP's.

Because of the above issue, I'd like to see Webroot implement some sort of Privacy control feature (or as @GarethBrown own puts it, enhancements to the privacy precautions) that blocks access to us MSP's when roaming users use their laptop at home, so we cannot view or see their blocked pages when they are at home. This would be extremely helpful especially in terms of privacy for our customers. I realise that this could be quite a challenge to implement but it could be as simple as doing the following:

* Implement a feature that when a change in network is detected, that a DNSP alert message pops up on the PC and asks the user whether they are at 'HOME' or at 'WORK' or 'OFFSITE'. It also then needs a short Privacy statement that clearly indicates the privacy differences of each choice e.g. choosing at 'HOME' would state that they are still protected, but blocked sites would not be visible to their MSP, whereas when they choose at 'WORK', it would state that they would be protected with their work Policy and all blocked sites would be visible for analysis by their ISP. With OFFSITE, the MSP would need to have the choice to enforce the Privacy in accordance with their Work Policies.
* It also needs to be smart enough to detect when they are back at work, by recognising the internal and external IP ranges so that they cannot choose the at 'HOME' option to override the work policy. The GSM would need some setting where one can specify all the IP ranges from the 'WORK' Network. If conflicting home LAN IP ranges should occur, then it might be worth to implement a setting in the DNSP agent so that one PC or server on the work network can act as a 'WORK' network Identifier to more easily enforce the work policies when a PC is plugged back into the 'WORK' network.
* On the Admin side in the GSM, it would then be handy if we could create a policy for each 'Location' type, so the policies could be different for 'WORK', 'HOME' and 'OFFSITE'. In essence, it would great if Policies could switch automatically when there is a change in 'Location'. This would then also work well for VPN connections when management or employees work from home. If it detects that they connect back to the 'WORK' network through a VPN connection, then an alert should pop up notifying that the 'WORK' DNSP policies will be in effect and that a different Privacy policy is now in place.

Hope that makes sense. Privacy is a bit of an issue with this product, but non the less, it's essential.

We've added this to our standard security stack.
Main problem is discussing with customers which specific categories to block beyond security risks, bit embarasing at times for them.
We've had great responses from brightcloud when asking for sites to be whitelisted. Have done this three times and get a fix within a day so very impressed, keeps our global whitelist small.

Often find pop up windows with the block page so its a good extra layer in my view as these are not requested normally by uses anyway.
Keep up the good work.

Thank you @FasteasyPhil for the kind note and great to hear your experience. I am with you abt the embarrassment or realization as I like to call it when clients see the types of sites they are going to ..:).

We migrated to WebrootDNS just before Xmas and it went so well that after 2 weeks I forgot we had done it as all the problems and noise from Cisco Umbrella disappeared.

Thanks so much @deanosborne .. really great to hear and thank you for your continued support.

Kiran,

We use your secure DNS and it has worked pretty well for me so far. I am just using the basic medium protection with a few exceptions. We have not implemented anything advanced yet. With that said I have found what I believe could be a major flaw in process. When your product is down or suffers from degraded performance, you customers should be actively alerted of this issue. Its nice that you have a status monitor available but an email or sms message to your customer would prevent cost incurred by lost productivity and employee frustrations. I would love to see that implemented. I believe that would prevent hours of end users reporting issues to internal IT departments that eventually get passed up to network and system engineers to investigate that may take another couple of hours.

Just a suggestion that I would love to see to improve your product.

Justin