Configuring Datto DNS Secure
This articles describes the Datto DNS Secure feature and how to configure it.
Datto DNS Secure
Datto DNS Secure is a feature that allows you to block user access to websites based on categories you enable. When a user attempts to access a particular website, Datto AV will determine the category to which the website belongs. If you have enabled the category in the Datto DNS Secure feature, the user will be blocked from accessing the website. If the category is not enabled, the user will be able to access the website.
You may find some websites may not be categorized by Datto AV as you would expect. Therefore, the feature enables you add URLs to a blocklist or an allowlist to address specific websites.
Enabling Datto DNS Secure
Datto DNS Secure settings are enabled in your Datto AV policy. To enable Datto DNS Secure, on the Policies page, edit an existing Datto Antivirus policy or create a new one. In the Datto DNS Secure section, click the Enable Datto DNS Secure toggle.
Configuring threat categories
You can select website categories to block within two threat categories: Security Categories to Block and Content Categories to Block. Click the toggle for the desired category to enable it. 
Security Categories to Block
The section includes categories for websites that pose a security risk or gather information to use in an attack.
| Category | Description |
|---|---|
| Unknown | No information was found on the website. Threat actors frequently create new domains to get around category blocking. |
| Spam | Websites that capture your email address so they can send you unwanted spam. |
| Malware | Websites that actively distribute malware. |
| Potentially Unwanted Applications | Websites identified or associated with distribution of unwanted applications. |
| Phishing | Websites designed to gather user information for the sole purpose of targeted phishing. |
| Potential Unwanted Search Engine | Search engines which have been flagged because you may have been redirected by malware or a potentially unwanted application. |
Content Categories to Block
The section includes categories for websites that may introduce unwanted security risks or may jeopardize your business reputation.
| Category | Description |
|---|---|
| Illegal content | Websites that host known illegal content. |
| Streaming media | Non-threating sites that provide streaming services. Typically used when bandwidth is limited. |
| Gambling | Websites used for gambling or betting. |
| Hacking/cracking | Websites that support hacker training or provide tools used for hacking. |
| Profane content | Websites that host profane content. |
| Warez | Websites that provide pirated or stolen software. |
| Illegal drugs & paraphernalia | Websites that provide access to potential illegal drugs. |
| Weapons | Websites that provide access to weapons or host content for using weapons. |
| VPNs, proxies, & filter avoidance | Websites that host VPNs used to circumvent firewall or other security access controls. |
| Pornography | Adult material. |
| Spyware, malware | Websites that collect personal information to be used in a malicious manner. |
| Deceptive, phishing | Websites that are misleading or mock known sites to distribute malware or collect personal information. |
| Social networking | Facebook, Tiktok, etc. |
| Hate content | Websites that spread hateful content. |
Configuring blocklists and allowlists
For websites that may not be categorized by Datto AV as you would like, you can add specific URLs to the Blocked Domain List or the Trusted Domain List.
- Blocked Domain List: This is useful for blocking user access a specific URL that is not already blocked by a threat category.
- Trusted Domain List: This is useful for allowing user access to a specific URL that is being blocked by a threat category.
Domains are typically formatted as domain.com or sub.domain.com. When adding a new domain, you can enter the exact domain or use wildcards for sub domains. It is not necessary to include www. in the URL. For example, the system treats google.com the same as www.google.com.
IMPORTANT Enter domains only. Do not enter protocols such as HTTP, FTP.
Below are URL format examples along with a description of the outcome based on the scenario of adding the URL to the Blocked Domain List.
| URL example | Outcome |
|---|---|
| Google.com | Access to google.com and www.google.com will be blocked but access to sub-domains, such as accounts.google.com, will be allowed. |
| www.google.com | This will block access to google.com and www.google.com but access to its sub-domains will be allowed. |
| *.google.com | This will block access to google.com and www.google.com and its sub-domains. |
| Accounts.google.com | Access to accounts.google.com will be blocked while access to google.com and other sub-domains, such as help.google.com, will be allowed. |
| Help.*.com | Not an acceptable URL format. |
| https://google.com | Not an acceptable URL format. |
To add a domain to the Blocked Domain List or the Trusted Domain List, enter the domain's URL in the Domain field and click Add Domain.
IMPORTANT If a user has active browser processes running when Datto DNS Secure is enabled, some sites may still be accessible by the user. The settings will be applied when the browser service is restarted.
FAQs
Can I deploy DNS Secure without Datto AV?
No. DNS Secure options are included in Datto AV policy.
What operating systems are supported by DNS Secure?
Currently, only Microsoft Windows is supported by DNS Secure.
Will DNS Secure generate alerts?
When a user attempts to access a blocked security category, an observable event will be created in the Alerts table. You can see these events by selecting DNS Secure in the Source Type filter. 
When access to a website under content category is blocked, a non-observable event or alert is created.
How will a user know if a site is blocked?
Users will be presented with a block page that provides useful information such as the category that is blocked, policy name, and hostname.
Can I modify the block page?
No. Currently the block page is limited to a standard look and feel.
How can I verify DNS Secure settings are applied correctly?
On each endpoint, you can access the AppSettings.json file located in C:\ProgramData\DattoAV\Endpoint Protection SDK\settings.
What should I do if a website is miscategorized?
You can add the site's URL to the Trusted Domain List.
