Webroot’s improvements to DoH [DNS-over-HTTPS] will provide MSPs with the ability to tell customers that this is something that can significantly improve their privacy on the Internet.
Webroot, an OpenText company, has enhanced their Webroot DNS Protection filtering service. The improvements to DNS-over-HTTPS [DoH] both make DNS security easier to manage comprehensively, and improve security by letting a secure SSL connection also handle DNS requests.
The enhancements address issues which reflect the fact that DNS is a very old technology that long predates more recent concerns about security privacy.
“DNS was created back in 1983, and is now close to 40 years old, making it a relic in terms of technology,” said Jonathan Barnett, a Product Manager for Webroot’s business network solutions who manages the Webroot DNS Protection solution. “But it’s a powerful solution that scales massively. It was originally built to replace manually maintained host file, and we now have 330 million plus domains served by DNS.”
The problem, Barnett stressed, is that in 1983 privacy and security were not considerations.
“DNS is clear, and you can see what how the Internet is being used, and what specifically is being asked for,” he said. “That’s not great from a security or privacy perspective. People can see what websites you went to, how long you stayed, what tools you used, and when you went on breaks. Some countries in the world prosecute people based on DNS records.”
That is why DoH was designed.
“DoH packs all your DNS requests over HTTPS so that you can securely communicate,” Barnett said. “The same SSL connection that is already there can now apply to DNS requests. It verifies your server, creates a secure connection, and passes all DNS requests over it.”
DoH is now provided by other DNS security players, including market leader Cisco Umbrella, and Internet browsers typically provide this today as well. What’s new and distinctive about the Webroot service, Barnett stated, is that the service now provides a more comprehensive framework rather than supporting only individual applications.
“If the browser provides the protection independently, you will lose visibility to DNS requests so you can filter and protect them,” he said. “Other vendors have DoH resolvers, if you point Mozilla browsers at them, but it’s only application by application.”
“We don’t just protect a single app,” Barnett said. “We protect the entire box, and give the admin the knowledge to make decisions. The Webroot DNS Protection agent on the system listens for DNS requests, encrypts the data with HTTPS and passes them back to Webroot resolvers. This allows all the DNS hookups to be securely controlled so they can be managed more effectively, and provides admins with the information they need to make intelligent decisions.”
Barnett emphasized that having full management capabilities of DNS with Webroot’s extension of the technology is a major advance
“Being able to fully manage DNS is really important, and it’s not something that has been emphasized enough,” he said.
Webroot has a strong presence in the MSP space, and Barnett also stressed that Webroot DNS Protection now gives MSPs a key advantage in showing the solution’s value.
“They can now have a conversation with their customers showing that this will improve their privacy, and that what they are asking for on the Internet will not be visible,” he said. “That’s a very powerful discussion.”
Barnett also indicated that Webroot’s roadmap involves leveraging these capabilities further.
“There are some things coming in the future that will leverage DoH security, so that we can really take advantage of that,” he said.