Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

Introducing Sophos DNS Protection

Introducing Sophos DNS Protection

We are excited to start the Early Access Program (EAP) for Sophos DNS Protection for networks. This new cloud-based service is part of our growing suite of Secure Access Service Edge products and services, expanding upon what we started with Sophos ZTNA and Sophos SD-WAN Orchestration.

Enhanced Internet and Web Security

Sophos DNS Protection adds another layer of security to every network. It works to instantly block access to unsafe and unwanted domains across all ports, protocols, and applications at the earliest opportunity – from both managed and unmanaged devices. DNS protection perfectly complements and augments your existing network security and policy enforcement tools - from Sophos or any other vendor. DNS Protection can be deployed in a few minutes; it’s never been easier to roll out additional security to your organization.

Sophos DNS Protection is a globally accessible domain name resolution service with integrated policy controls and reporting in Sophos Central. Sophos DNS Protection is backed by SophosLabs’ real-time threat intelligence, protecting your organization from malicious domain activity and allowing you to enact policy for domain categories or domain lists. By using Sophos DNS Protection in place of your existing public DNS resolver, you can prevent any devices on your network from accessing domains associated with security threats and other unwanted websites controlled through policy.

DNS Protection complements the protection provided by the other security features of Sophos Firewall. Deploying it on a network protected by Sophos Firewall provides an additional layer of protection that ensures all protocols and ports are protected against accessing risky or inappropriate domains.

Integrated Reporting

Sophos DNS Protection provides in-depth visibility into the domains visited from your network with comprehensive dashboarding and reporting. Reporting will be coming in an update during the EAP.

Protection for networks

In this initial release, policy selection and access to the DNS Resolver are based on the originating public IPv4 address of the DNS queries. Hence, protecting individual devices that move from network to network (or site to site) is inappropriate. Dynamic IP addresses are supported when used with a DynamicDNS provider.

As we expand our Security Service Edge services, we plan to integrate with the endpoint, providing DNS protection and other network-oriented security services for roaming devices, wherever they are.

Cross-Product Integration

In addition, Sophos DNS Protection’s log data and intelligence are shared with Sophos data lake for Sophos XDR and MDR threat-hunting analysts to help detect active adversaries and threats operating on the network. Please look for additional updates on the XDR integration as the EAP progresses.

Included at No Extra Charge for Firewall customers with Xstream Protection

The initial release of DNS Protection is being added to our Xstream Protection bundle, adding additional value to this already amazing suite of protection solutions for our existing Sophos Firewall customers.

Getting Started

Getting started with Sophos DNS Protection is easy - update your existing DNS configuration by pointing your devices or local DNS servers to our global anycast IP addresses, tell us about your locations in your Sophos Central account by entering your networks' public IPv4 address(es), and then provide your feedback. 

To join the program, complete this registration form. Once you’ve done that, we’ll email you with our Getting Started guide and all the information you need to get you up and running.

The EAP is available for customers with Sophos Central accounts in the United States, Ireland and Germany portals. Unfortunately the EAP is not available for Sophos Central MSP accounts, or for accounts that only have trial product licenses associated with them. *** Earlier issues with MSP or trial accounts have now been resolved. ***

After that, please drop by the Community Forum to share your experience with other participants or tell us about your experiences through the in-product Feedback link.

Early Access is expected to run through January 2024, so get started today and help us make this service the best it can be.

*Please note that the initial points of presence for the EAP service are in North America, Europe, and India. Participants in other geographies may not experience the best query latency. Please monitor your network experience if you are outside these regions. We will expand coverage for additional areas in the future.

[Updated on 29 February 2024: Updated registration link]

  • Very cool guys, nice work, and is already providing value to customers on the EAP.  Easy Setup.

  • DNS protection would be available only as part of Xstream protection bundle 

  • Hi  

    We would to share the good news that Trial and MSP account support is added for DNS Protection EAP now.  Request you to please try it out and reach out in case you find any issues.

  • Hi Andy,

    We certainly could have gone down the path of doing DNS inspection/filtering on the Firewall, to provide a different kind of product and service overall.

    Running it as a hosted service gives us some other advantages, and this initial version of the product is only a start. We also want to provide a secure DNS service for endpoint devices in the future, to protect users whether they are inside or outside a corporate network. So building a DNS resolution service is important for that too.

    No product is ideal for every situation and every customer. If you don't see value in this initial release of the product, we hope that you will do in future as we build out more features and services around it.



  • Hey guys,

    i'm not sure to understand this correct.

    I have to use the Sophos WAN DNS for DNS Forwarding?

    In a "best practise" environment you use the local DNS on the Sophos Firewall for the Clients - and the provider DNS as Forwarding. Why not filtering the queries directly in the firewall? The users already known by the firewall..

    For my understanding it is more practical than all other stuff.

    Sorry, but I think the implementation of OPNsense with Unbound-DNS and Zenarmor is more practical than this.

    Please correct me if i'm wrong..