DNS Protection

Protective filtering for security, visibility, privacy and control. Minimize risks, maximize safety and productivity on the web.

Why do you need a protective DNS service?

Today’s businesses need secure, private, manageable and visible control over internet traffic.

The current domain name system (DNS) simply resolves internet requests through a global system of servers, then translates those requests into their unique Internet Protocol (IP) addresses. But this vital service was not designed with security in mind and many DNS exploits and vulnerabilities now exist.

By using a protective DNS service like Webroot® DNS Protection organizations control their networks and maintain the security, privacy and visibility they need to protect IT infrastructure and users, even those working remotely.

What does a protective DNS service do?

Its primary aim is to create a highly secure, private, resilient and manageable connection to the internet. Automated filtering uses Webroot BrightCloud® Internet Threat Intelligence to automatically block requests to undesirable, dangerous or malicious internet domains, even encrypted DNS over HTTPS (DoH) requests.

This filtering alone stops most internet threats before they can infect networks or endpoints. It helps organizations achieve the management control over their DNS connection recommended by the joint NSA and CISA Guidance on Strengthening Cyber Defense Through Protective DNS.

Webroot® DNS Protection and NSA/CISA PDNS service attributes

The NSA and CISA advisory recommends the following attributes of a protective DNS service:




Blocks malware domains


Using Webroot BrightCloud® Threat Intelligence

Blocks phishing domains


Using Webroot BrightCloud® Threat Intelligence

Malware Domain Generation Algorithm (DGA) protection


Using Webroot BrightCloud® Threat Intelligence

Leverages machine learning or other heuristics to augment threat feeds


Uses the Webroot ML/AI platform established in 2007

Content filtering


Uses up to 80 URL categories, plus Google SafeSearch

Supports API access for SIEM integration or custom analytics


Several options for ensuring full logging and visibility of
requests with ingestion into SIEM, XDR, MDR, etc.

Web interface dashboard


Webroot's new UI/UX makes policy management, reporting
and dashboard stats always available

Validates DNSSEC


Webroot uses DNSSEC

DoH/DoT capable


DoH is uniquely supported natively and is also GDPR compliant
where necessary.

Enables customizable policies by group, device or network


Comprehensive management controls exist and coverage of
both the network and guest WiFi requests

Deploys across hybrid architectures


We support hybrid architectures

How Webroot’s DNS Protection service is different?


See how Webroot measures up.

Download your copy of G2’s DNS Security Grid Report to see how Webroot compares against the competition.

Full DoH compatibility for the internet of tomorrow

Webroot® DNS Protection was built for the future, supporting both IPv6 and DoH so businesses are prepared for the next generation of internet protocols and requests. This means you can protect your users at the DNS layer on modern networks like public hotspots without sacrificing security, privacy, visibility or admin control.


"With the prevalence of DNS-over-HTTPS likely to accelerate rapidly, organizations need to be planning now on how to maintain strong security controls while ensuring the right level of employee privacy. Rather than simply modifying existing capabilities to address DNS-over-HTTPS, Webroot is ahead of the curve in developing new features and technology to specifically resolve this issue."

— John Grady, Analyst, Enterprise Strategy Group

The NSA Wants Businesses to Use DoH.

Learn how Webroot DNS Protection helps you adopt this recommendation.

Webroot® DNS Protection runs on the Google Cloud Platform

Webroot® DNS Protection is hosted on the Google Cloud Platform for increased security, performance and reliability. Using Google Cloud’s high-redundancy, low-latency networks in 16 regions worldwide maximizes performance.

Webroot DNS Protection also benefits from Google's built-in DoS prevention and mitigation, enabling us to stop attacks before they hit our service. And because regional deployments can auto-scale with spikes in traffic, even drastically increasing loads don’t increase wait times for requests.

Dive Deeper into DNS Protection

Maps and VPN Icon
Roaming and VPN Users

Webroot DNS Protection secures your mobile workforce without interfering with the VPNs, firewalls and security tools you already use.

DNS Hotspot Icon
WiFi Hotspots

Secure WiFi hotspots with DNS protection for guest WiFi to keep guests, customers and reputations safe.

What Our Customers Have to Say

Spiceworks Endpoint Protection Reviews
G2 Crowd Endpoint Protection Reviews
Expert Insights DNS Protection Review

Next steps

Whether you're a Business or MSP, you can easily add Webroot DNS Protection to your existing account or start a FREE 30-day trial today.