Copyright © 2024 Sophos Ltd

Getting Started with

DNS Protection

Sophos DNS Protection

Version: 1.0v1

[Additional Information]

Sophos DNS Protection

DNS1005: Getting Started with DNS Protection

May 2024
Version: 1.0v1

© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.

Getting Started with DNS Protection - 1

Copyright © 2024 Sophos Ltd

Getting Started with DNS Protection

In this chapter you will learn how to configure RECOMMENDED KNOWLEDGE AND EXPERIENCE
DNS Protection in Sophos Central and on your
devices. ✓ Have experience configuring and managing
networks
✓ Understand what Sophos DNS Protection is

DURATION 15 minutes

In this chapter you will learn how to configure DNS Protection in Sophos Central and on your devices.

Getting Started with DNS Protection - 2

Copyright © 2024 Sophos Ltd

Configuration Overview

Define the locations where

the DNS requests will be Configure policies to control
made from what sites can be accessed

Configure your network to Review logs and reports

use Sophos DNS Protection

Sophos DNS Protection set up takes just a few steps, which you can see on the DNS Protection
Dashboard in Sophos Central.

First, you need to define the locations where the DNS requests will be made. Locations are used to
apply policies.

You then need to configure your networks to use the Sophos DNS Protection servers.

Lastly, you need to configure policies that will control what can be accessed from each location.

Once everything is configured and working you will be able to review the logs and reports.

Getting Started with DNS Protection - 3

Copyright © 2024 Sophos Ltd

Creating a Location

IP addresses or FQDNs
(Sophos Central checks that
FQDNs can be resolved
when they are added)
Up to 100 IP addresses or
FQDNs per location

We will take a closer look at each of the configuration steps, starting with creating a location.

Locations are defined using public IP addresses and fully qualified domain names, or FQDNs. These are
what Sophos DNS Protection sees when you make your DNS request and will be used to apply policies.

When adding an FQDN, Sophos Central will check that it can be resolved. You can have up to 100
entries for a location made up of any mix of IP addresses and FQDNs.

Getting Started with DNS Protection - 4

Copyright © 2024 Sophos Ltd

Creating a Location

Once you have added a location you can see the IP addresses and FQDNs by hovering over the number
in the ’Source’ column.

Note that you can have a maximum of 50 locations in Sophos DNS Protection.

Getting Started with DNS Protection - 5

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Configuring Networks to Use Sophos DNS

Configure the DNS

servers on devices Configure the DNS
forwarders on your
Manually or using existing DNS server
DHCP

https://doc.sophos.com/central/Customer/help/en-us/ManageYourProducts/DNSProtection/NetworkSetup/index.html

The next step is to configure your networks to use the Sophos DNS Protection servers.

Where there are few devices, you can configure devices to use the Sophos DNS Protection servers
manually or using DHCP.

For larger networks it is more common to have an existing DNS server, where you would configure it to
forward requests to Sophos DNS Protection instead of your ISP.

Information on how to configure the DNS settings for your devices and networks can be found in the
documentation.

[Additional Information]
Sophos DNS Protection: Set up your network:
https://doc.sophos.com/central/Customer/help/en-
us/ManageYourProducts/DNSProtection/NetworkSetup/index.html

Getting Started with DNS Protection - 6

Copyright © 2024 Sophos Ltd

Configuring Networks to Use Sophos DNS

For example, if you have a Windows Active Directory domain, you will likely have a DNS server. Here
you can see we have configured the forwarders to be the Sophos DNS Protection servers.

This means that any DNS request the server receives that it does not hold a record for, it will forward
the query to Sophos DNS Protection to get the answer.

Getting Started with DNS Protection - 7

Copyright © 2024 Sophos Ltd

Configuring Networks to Use Sophos DNS

Sophos DNS Protection also complements Sophos Firewall. Here you can see that Sophos Firewall has
been configured to use Sophos DNS Protection.

Getting Started with DNS Protection - 8

Copyright © 2024 Sophos Ltd

Installing the Certificate

▪ Install the certificate to

prevent security warnings
on block pages

▪ Install manually or deploy

using Active Directory or
other management tool

In addition to configuring the DNS settings for your network, you should deploy the root certificate to
prevent security warnings when block pages are returned.

The certificate can be installed manually on devices or deployed using Active Directory or other
management tools.

Getting Started with DNS Protection - 9

Copyright © 2024 Sophos Ltd

Installing the Certificate

To download the certificate, select Installers in the left-hand menu of Sophos DNS Protection.

The certificate file will be downloaded with a .pem extension, which is supported for import on most
devices.

Windows does not have a file association for the .pem extension, so you may want to change it to .cer,
which Windows will recognize by default.

Getting Started with DNS Protection - 10

Copyright © 2024 Sophos Ltd

Testing the Configuration

https://dns.access.sophos.com

Once you have completed the configuration you can test it by visiting https://dns.access.sophos.com.

This domain is only resolved by Sophos DNS Protection, so if the devices are not using the Sophos DNS
Protection servers, they will not be able to access the page.

The webpage is also signed using the Sophos certificate, and so will display a security error if it is not
installed.

Getting Started with DNS Protection - 11

Copyright © 2024 Sophos Ltd

Creating a Policy

At this point your devices will be using Sophos DNS Protection, but as no policies are applied it will
apply the default policy of only blocking access to malicious sites, so the last step is to create policies.

Policies control what can be accessed and are applied to locations, selected on the first tab.

Getting Started with DNS Protection - 12

Copyright © 2024 Sophos Ltd

Creating a Policy

• Keep it clean
• Optimal productivity
• Conserve bandwidth
• Business only
• Let me specify…

On the Settings tab you can choose between four preconfigured options or choose to customize which
categories of site can be accessed.

The four preconfigured options are:

• Keep it clean.
• Optimal productivity.
• Conserve bandwidth.
• And business only.

To customize the configuration, select Let me specify…

Getting Started with DNS Protection - 13

Copyright © 2024 Sophos Ltd

Creating a Policy

• Allow
• Block
• Let me specify…

When you customize the policy configuration, for each web category you can choose to either allow it,
block it, or further customize its subcategories, which can each be allowed or blocked.

Getting Started with DNS Protection - 14

Copyright © 2024 Sophos Ltd

Creating a Policy

Configure filtering for a

custom list of domains

Enforce safe search settings

in search engines and
YouTube

Below the web categories are two additional configuration sections.

The first allows you to manage access to custom domain lists, either to allow or block access.

The second gives you the option to enforce safe search settings in search engines and YouTube. For
YouTube, you can further choose what restriction level to enforce.

Getting Started with DNS Protection - 15

Copyright © 2024 Sophos Ltd

Creating a Policy

To create custom domain lists, select Domains in the left-hand menu of Sophos DNS Protection.

Here you can create a list of domains that you want to allow or block in policies. Each domain list can
have up to 1000 items.

This allows you to create exceptions to the behaviour you have selected for web categories in a policy.
For example, you may have blocked access to the social media category in policy but want to allow
access to one specific site. In this case, you can create a domain list and allow access to it in the policy.

Getting Started with DNS Protection - 16

Copyright © 2024 Sophos Ltd

Creating a Policy

You can create multiple policies; however, each location can only be associated with one policy.
Locations that have been assigned to a policy will not be shown in the location list, and so cannot be
added to multiple policies.

Getting Started with DNS Protection - 17

Copyright © 2024 Sophos Ltd

Simulation: Getting Started with Sophos DNS Protection

In this simulation you will complete the initial

configuration required to get started with Sophos DNS
Protection.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/dns/simulation/GettingStarted/1/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

[Additional Information]
https://training.sophos.com/dns/simulation/GettingStarted/1/start.html

Getting Started with DNS Protection - 18

Copyright © 2024 Sophos Ltd

Block Pages

With Sophos DNS Protection configured your users will see a block page like the one shown here if
they try to access a site blocked by policy.

On this page they can see how the site has been categorized and return to their previous page.

Getting Started with DNS Protection - 19

Copyright © 2024 Sophos Ltd

Enforcing DNS Protection

DNS

OUTSIDE
INSIDE Block DNS requests
Only allow requests of other DNS
to Sophos DNS providers
Protection

To ensure that DNS Protection is not by-passed, you will need to block access to other DNS providers
in your firewall configuration. This can be done on both your gateway and on host-based firewalls.

Getting Started with DNS Protection - 20

Copyright © 2024 Sophos Ltd

Chapter Review

Locations are a collection of up to 100 IP addresses and FQDNs where the DNS requests are being made
from. Sophos Central checks that the FQDNs can be resolved when they are added.

You need to install the certificate to ensure there are no security errors in the browser when users get a
block page. Your DNS Protection configuration can be tested by visiting https://dns.access.sophos.com.

Policies are assigned to selected locations. You can choose to use pre-configured settings or customize
the categories or sub-categories of websites yourself. You can create custom domain lists to manage
access. You can optionally enforce safe search settings.

Here are the three main things you learned in this chapter.

Locations are a collection of up to 100 IP addresses and FQDNs where the DNS requests are being
made from. Sophos Central checks that the FQDNs can be resolved when they are added.

You need to install the certificate to ensure there are no security errors in the browser when users get
a block page. Your DNS Protection configuration can be tested by visiting
https://dns.access.sophos.com.

Policies are assigned to selected locations. You can choose to use pre-configured settings or customize
the categories or sub-categories of websites yourself. You can create custom domain lists to manage
access. You can optionally enforce safe search settings.

Getting Started with DNS Protection - 26

Copyright © 2024 Sophos Ltd

Getting Started with DNS Protection - 27