Webroot now offers a “DNS Protection” service which is designed to prevent DNS poison attacks. Two elements of this service are worth noting:
53being used for DNS queries, Windows computers that use Webroot will instead use UDP port
7777as a first priority, thereby bypassing the standard DNS services (if outgoing UDP port
7777traffic isn’t blocked)*.
The result of the above is that DNSthingy’s services are impacted as follows:
53) is re-directed to the local resolver, by default, on all of our platforms in order for all DNS queries to be forced to your desired policy/rule set. But since Webroot uses an alternate channel, Webroot disables forced filtering at the gateway.
For static workstations that will stay behind DNSthingy gateway, disable Secure DNS roaming agent service. Instead, use Webroot’s Secure DNS servers (
220.127.116.11) in the DNSthingy dashboard under Advanced Settings and use them as a resolver of last resort. That way you can take advantage of what DNSthingy policy-based filtering offers together with the protection that Webroot has to offer.
By the way, we think Webroot’s Secure DNS service is a fantastic feature, but the implementation has created a conflict that disregards the subscriber’s intent.
*Some subscribers have blocked outbound UDP port
7777 traffic, which achieves the result of DNSthingy’s policies being enforced, but that creates a very slow experience as Webroot takes some time to fall back to using port
53. The experience makes it less than ideal.
Also, it’s worth noting that with DTTS (Don’t Talk To Strangers), the DNS protection (or any other alternate type service) never impact your applied policies/rule sets.