Configuring Datto DNS Secure
This articles describes the Datto DNS Secure feature and how to configure it.
Datto DNS Secure
Datto DNS Secure is a feature that allows you to block user access to websites based on categories you enable. When a user attempts to access a particular website, Datto AV will determine the category to which the website belongs. If you have enabled the category in the Datto DNS Secure feature, the user will be blocked from accessing the website. If the category is not enabled, the user will be able to access the website.
You may find some websites may not be categorized by Datto AV as you would expect. Therefore, the feature enables you add URLs to a blocklist or an allowlist to address specific websites.
Enabling Datto DNS Secure
Datto DNS Secure settings are enabled in your Datto AV policy. To enable Datto DNS Secure, on the Policies page, edit an existing Datto Antivirus policy or create a new one. In the Policy Rules section, click the DNS Secure tab and select the Enable Datto DNS Secure check box.
Configuring threat categories
You can select website categories to block within two threat categories: Security Categories to Block and Content Categories to Block. Select the check box of each category for which you would like to block access.
Security Categories to Block
The section includes categories for websites that pose a security risk or gather information to use in an attack.
| Category | Description |
|---|---|
| Spam | Websites that capture your email address so they can send you unwanted spam. |
| Malware | Websites that actively distribute malware. |
| Potentially Unwanted Applications | Websites identified or associated with distribution of unwanted applications. |
| Phishing | Websites designed to gather user information for the sole purpose of targeted phishing. |
| Potential Unwanted Search Engine | Search engines which have been flagged because you may have been redirected by malware or a potentially unwanted application. |
Content Categories to Block
The section includes categories for websites that may introduce unwanted security risks or may jeopardize your business reputation.
| Category | Description |
|---|---|
| Illegal content | Websites that host known illegal content. |
| Streaming media | Non-threating sites that provide streaming services. Typically used when bandwidth is limited. |
| Gambling | Websites used for gambling or betting. |
| Hacking/cracking | Websites that support hacker training or provide tools used for hacking. |
| Profane content | Websites that host profane content. |
| Warez | Websites that provide pirated or stolen software. |
| Illegal drugs & paraphernalia | Websites that provide access to potential illegal drugs. |
| Weapons | Websites that provide access to weapons or host content for using weapons. |
| VPNs, proxies, & filter avoidance | Websites that host VPNs used to circumvent firewall or other security access controls. |
| Pornography | Adult material. |
| Spyware, malware | Websites that collect personal information to be used in a malicious manner. |
| Deceptive, phishing | Websites that are misleading or mock known sites to distribute malware or collect personal information. |
| Social networking | Facebook, Tiktok, etc. |
| Hate content | Websites that spread hateful content. |
Configuring blocklists and allowlists
For websites that may not be categorized by Datto AV as you would like, you can add specific URLs to the Domain List and indicate whether the domain is to be trusted or blocked.
Domains are typically formatted as domain.com or sub.domain.com. When adding a new domain, you can enter the exact domain or use wildcards for sub domains. It is not necessary to include www. in the URL. For example, the system treats google.com the same as www.google.com.
IMPORTANT Enter domains only. Do not enter protocols such as HTTP, FTP.
Below are URL format examples along with a description of the outcome based on blocking access.
| URL example | Outcome |
|---|---|
| Google.com | Access to google.com and www.google.com will be blocked but access to sub-domains, such as accounts.google.com, will be allowed. |
| www.google.com | This will block access to google.com and www.google.com but access to its sub-domains will be allowed. |
| *.google.com | This will block access to google.com and www.google.com and its sub-domains. |
| Accounts.google.com | Access to accounts.google.com will be blocked while access to google.com and other sub-domains, such as help.google.com, will be allowed. |
| Help.*.com | Not an acceptable URL format. |
| https://google.com | Not an acceptable URL format. |
| www.reddit.com/sysadmin | Not an acceptable format due to "/" in URL. |
To add a domain to the Domain List:
- Expand the Domain List section.
- Click the Add Domain button.
- The Add Domain modal is displayed. Select Trusted Domain (selected by default) or Block Domain.
- In the Domain field, enter the domain's URL.
- To add another domain, click +Add Domain. In the new Domain field displayed, enter the domain's URL. Note that each domain added in this manner must be of the same type, Trusted Domain or Block Domain.
- When you have finished adding URLs, click the Add button.
The domains are listed in the Domain List table.
IMPORTANT If a user has active browser processes running when Datto DNS Secure is enabled, some sites may still be accessible by the user. The settings will be applied when the browser service is restarted.
Configuring trusted executables
In the Trusted Executables section, you can add specified executable files that are allowed to connect to online services while running.
Rules for implementing:
- Can only be used for local disk paths.
- Cannot include wildcards.
- Cannot use Windows Environment variables
Examples:
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
To add an executable file to the Trusted Executables list:
- Expand the Trusted Executables section.
- In the field, enter the local path.
- Click the Add button.
FAQs
Can I deploy DNS Secure without Datto AV?
No. DNS Secure options are included in Datto AV policy.
What operating systems are supported by DNS Secure?
Currently, only Microsoft Windows is supported by DNS Secure.
Will DNS Secure generate alerts?
When a user attempts to access a blocked security category, an observable event will be created in the Alerts table. You can see these events by selecting DNS Secure in the Source Type filter. 
When access to a website under content category is blocked, a non-observable event or alert is created.
How will a user know if a site is blocked?
Users will be presented with a block page that provides useful information such as the category that is blocked, policy name, and hostname.
Can I modify the block page?
No. Currently the block page is limited to a standard look and feel.
How can I verify DNS Secure settings are applied correctly?
On each endpoint, you can access the AppSettings.json file located in C:\ProgramData\DattoAV\Endpoint Protection SDK\settings.
What should I do if a website is miscategorized?
You can add the site's URL to the Domain List as a trusted domain.
