Sophos DNS Protection is Now Available

ProductsSophos DNS Protection

Sophos DNS Protection adds another layer of security, perfectly complementing and augmenting your customers’ existing network security and policy enforcement tools.

The team is pleased to announce the General Availability of Sophos DNS Protection. This cloud-based service is available at no extra charge to all Xstream Protection licensed Sophos Firewall customers. The release will be managed in stages and we will be increasing the number of customers for whom it is available over the coming weeks.

Great Value for New and Renewing Firewall Customers

Sophos DNS Protection adds tremendous new value for existing or renewing firewall customers who get this added protection at no extra charge. It enables them to potentially consolidate and save from using another 3rd party DNS provider or start using a great DNS Protection solution without having to pay extra.

What they Get:  Enhanced Internet and Web Security

Sophos DNS Protection adds another layer of security to every network. It works to instantly block access to unsafe and unwanted domains across all ports, protocols, and applications at the earliest opportunity – from both managed and unmanaged devices. DNS protection perfectly complements and augments your existing network security and policy enforcement tools. DNS Protection can be deployed in just a few minutes.

Sophos DNS Protection is a globally accessible domain name resolution service with integrated policy controls and reporting in Sophos Central. Sophos DNS Protection is backed by SophosLabs’ AI-powered threat intelligence, providing real-time world-wide protection from high-risk domains. As soon as a malicious domain is discovered, it is shared across all customers instantly, providing immediate protection for all customers. By using Sophos DNS Protection in place of your existing public DNS resolver, you can prevent any devices on your network from accessing domains associated with security threats and other unwanted websites controlled through policy.

DNS Protection provides quick and easy policy configuration with just a few clicks

Protection for networks

Access to the Sophos DNS Resolver is based on the originating public IPv4 address of the DNS queries. Hence, protecting individual devices for remote workers that move from network to network (or site to site) is not viable at this time.

Dynamic IP addresses are supported when used with a DynamicDNS provider.

Integrated Dashboarding and Reporting

Sophos DNS Protection also provides in-depth visibility into the domains visited from your network with comprehensive dashboarding and reporting.

Dashboard widgets show important statistics at-a-glance.


Full reporting with all the same options as Central Firewall Reporting Advanced is also included:

Cross-Product Integration

Sophos DNS Protection’s log data and intelligence are also shared with the Sophos data lake for Sophos XDR and MDR threat-hunting analysts to help detect active adversaries and threats operating on the network.

Getting Started

Sophos DNS Protection is available to all licensed Sophos Firewall customers who have the Xstream Protection bundle. If your customers don’t already have the Xstream Protection bundle, get them upgraded today, as it provides the best protection possible and offers tremendous value.

Getting started with Sophos DNS Protection is easy: add locations, set DNS settings, create a policy, and go!

Watch this video to see how easy it is to get started with Sophos DNS Protection:

Consult the full documentation for additional information.


How is DNS Protection Licensed?

DNS is licensed as part of Sophos Firewall’s Xstream Protection bundle and is included at no extra charge for all Xstream Protection customers.

All customers that have a Sophos Firewall with an Xstream Protection bundle have immediate access to Sophos DNS Protection in Sophos Central.

It is not currently sold as a separate stand-alone license – it is only available as part of Xstream Protection with Sophos Firewall.

My customer has the correct license – why can’t they access DNS Protection in Sophos Central?

Out of caution, to ensure customers get a good experience as they start to use DNS Protection, we are limiting the number of accounts that can start using DNS Protection and will be increasing that limit in stages over the coming weeks.

If you have an opportunity or a customer with a time-critical need to access DNS Protection, contact Sophos.

Can Sophos DNS Protection be used on networks without a Sophos Firewall?

Yes, however acceptable use limits are based on the number of Xstream Protection firewall licenses a customer has. More on acceptable use limits below.

What are the acceptable use limits and how do they work?

Acceptable use limits are/will be published in our licensing guidelines. For each Firewall model or Virtual Firewall license tier for which a customer has an Xstream Protection subscription, they are allowed a number of DNS queries per day. Customers with multiple Firewalls with XStream Protection can combine their allowances to give a higher total.

Acceptable use limits are expressed as queries per day, averaged over a period of 30 days. Occasional spikes in usage are fine as long as the average level remains within the limit.

If necessary, Sophos will contact customers who exceed their limits to discuss potential remediation options. Customers will not be cut off without notice, except in extreme cases such as where usage is impacting other customers or appears to be malicious in nature.

Can DNS Protection be used by remote workers?

Although this is planned for the future, it is not supported currently. It will require endpoint agent support for registration and enforcement. The DNS service we are launching now is designed for static networks using firewalls and/or DNS servers.

What Cloud Locations or Points-of-Presence are part of the initial launch?

During the EAP, DNS Protection services were hosted in four locations around the world. It is used by over 600 customers from every continent without performance issues and has served over 23 billion queries. For GA we are adding three more locations and we will continue to add more in response to usage growth.

Our locations at GA will be Oregon USA, Ohio USA, UK, Germany, India, Japan and Australia.

Our use of Amazon’s Global Accelerator network optimizes the connection to the nearest service location.

What’s Different About DNS Protection vs Web Protection in Sophos Firewall?

DNS Protection provides URL checking and blocking at the initial domain name lookup stage – before a connection is even established to a web server. As a result, it’s a very fast and efficient way to block known malicious and unwanted sites across networks regardless of application – including connections that don’t use web protocols.

Web Protection in the firewall still provides essential protection for end-users by identifying new malware or threats lurking on legitimate web pages and for providing individual user and group-based policy and compliance controls.

How is Sophos DNS Protection different from Cisco Umbrella (OpenDNS)?

OpenDNS which was acquired by Cisco in 2015, also provides a comprehensive DNS resolution service and is perhaps the most widely known and used DNS protection solution on the market. Both solutions are a DNS resolution service that blocks malicious and unwanted domains. Since the Cisco solution has been in development for 18 years now, it has a lot of extra features and capabilities. It is also not free. Sophos DNS Protection is not intended to compete with Cisco’s solution, but instead offer a light-weight, effective, and affordable solution, included as part of the overall value for our firewall customers.