Sophos DNS Protection - Included Free with Xstream Protection
Sophos DNS Protection is a new Sophos Central service that is included free of charge with the Sophos Firewall Xstream Protection Bundle. We have tested it for some time and share our experience in this article.
Sophos DNS Protection feature
Sophos DNS Protection provides a cloud-based security solution that blocks access to unsafe and unwanted domains across all ports, protocols, and applications. The service can be implemented in minutes and effectively complements existing network security solutions.
With real-time threat intelligence and comprehensive reporting features, Sophos DNS Protection protects against malicious and unwanted domains. The core strength of this new Sophos Central service is that it adds another layer of protection against access to known, compromised, or malicious domains for both encrypted and unencrypted connections. This preventive approach raises the security level directly at DNS level and therefore goes far beyond traditional web security.
Setup in 3 Steps
Setting up Sophos DNS Protection is very straightforward and can be completed in just a few minutes.
You start by configuring the IP addresses of the networks or the dynamic hostnames so that DNS Protection can identify where DNS requests are coming from. You then assign these locations to the appropriate policies to activate protection.
1. Add a location
For the Sophos DNS servers to assign requests to the correct policies and user account for reporting, you first need to add the location and its associated public IP address or DNS name.
2. Adjust DNS servers
To use Sophos DNS Protection, you need to configure the Sophos DNS servers on your router, DNS server, or firewall. Enter the IP addresses as DNS servers on the network device so that all DNS requests are routed through Sophos DNS Protection.
To ensure that block pages are displayed correctly, download the provided certificate and deploy it to the devices as a trusted root certification authority.
We have already explained the process of distributing the certificate for Sophos Firewall in a separate guide. For DNS Protection, you simply use a different certificate.
3. Filtering by web category
In the third step, you create the policies. This is where you define which web categories should be blocked. DNS Protection always filters websites that pose a security risk, but you can set additional filtering options. These policies can be defined per location, allowing security policies to be adapted more precisely to the specific needs of each individual network.
The following categories are available for blocking:
Productivity-related categories
- Advertisements
- Auctions & classified ads
- Dynamic DNS & ISP sites
- Entertainment
- Fashion & beauty
- Gambling
- Games
- Hobbies
- Hunting & fishing
- Kid’s sites
- News
- Online chat
- Online shopping
- Personal sites
- Photo galleries
- Portal sites
- Religion & spirituality
- Restaurants & dining
- Sports
- Stocks & trading
- Surveillance
- Travel
- Society & culture
- Vehicles
Social networking
- Blogs & forums
- Personals & dating
- Social networks
Adult and potentially inappropriate categories
- Alcohol & tobacco
- Controlled substances
- Criminal activity
- Download freeware & shareware
- Extreme
- Intellectual piracy
- Intolerance & hate
- Legal highs
- Marijuana
- Militancy & extremist
- Nudity
- Plagiarism
- Pro-suicide & self harm
- Sex education
- Sexually explicit
- Swimwear & lingerie
- Weapons
Categories likely to cause excessive bandwidth usage
- Live audio
- Live video
- Peer-to-peer & torrents
- Radio & audio hosting
- Video hosting
- Voice & video calls
Business-relevant site categories
- General business
- Business networking
- Educational institutions
- Financial services
- Government
- Health & medicines
- Image search
- Information technology
- Job search
- Military
- NGOs & non-profits
- Political organizations
- Professional & workers organizations
- Real estate
- Reference
- Search engines
- Software updates
- Translators
Infrastructure
- Content delivery
- CRL and OCSP
Threats and liabilities
- Anonymizers
- Hacking
- Newly registered websites
- Parked domains
- Phishing & fraud
- Spam URLs
- Spyware & malware
- Unauthorized software stores
Data loss
- Data loss
- Business cloud apps
- Personal cloud apps
- Personal network storage
- Web E-mail
Uncategorized
- Everything else
Sophos DNS Protection allows you to create custom domain lists. If a user needs access to a blocked page, you can create a dedicated exception list and adjust the policy accordingly. For example, you can define special exceptions that allow certain domains while others remain blocked.
Test
Sophos DNS Protection immediately blocks access to unsafe and unwanted domains. This applies to both managed and unmanaged devices and gives your network broad protection against malicious domain activity. With real-time threat intelligence from SophosLabs, you can ensure that your organization remains protected against the latest threats.
The Sophos video explains the setup steps again:
Reporting
With DNS Protection, you get detailed insight into the domains visited from your network. The reporting features in Sophos Central let you monitor your network’s security posture at any time. You receive reports on permitted and blocked domains as well as the total number of DNS requests.
The reporting tool works in a similar way to Firewall Reporting in Sophos Central. You can set filters, search for specific entries, and create templates for recurring queries. Reports can also be sent by email.
More data for XDR and MDR
The DNS data collected by Sophos DNS Protection is forwarded to the Sophos Data Lake. This data can then be used with XDR tools or help MDR analysts detect active attackers and threats in the network.
Licensing
DNS Protection is currently available to all Sophos Firewall customers who have licensed the Xstream Protection Bundle.
However, Sophos also states that the first version is free. I can therefore well imagine that once the product is a little more mature, additional features may require another license, similar to Firewall Reporting.
Conclusion / Opinion
Sophos DNS Protection is a simple and effective solution that works reliably in version 1 and is a more secure alternative to 8.8.8.8, 1.1.1.1, and 9.9.9.9. Nevertheless, there are a few areas that could be improved:
Speed: The Sophos DNS servers currently have higher latency, mainly because Sophos only provides a small number of POPs at this stage. However, this is expected to be improved in the coming months.
Filters: At the moment, filtering is limited to domains. Predefined lists for apps, advertising, or tracking links are missing, which limits the available filtering options.
Mobile: Unlike “Cisco Umbrella DNS” or “NextDNS”, Sophos DNS Protection does not offer a way to protect mobile devices.
Synchronized Security: Many administrators know the problem: users report that legitimate websites are being blocked and an exception needs to be created. Many of our customers use Sophos Firewall and Sophos Endpoint with Web Control enabled, so content filtering is also available on the road or when working from home. However, the settings of these two systems are not synchronized. DNS Protection now adds a third service that also needs to be maintained.
