As encrypted-by-default connections spread across apps, browsers, and networks, the weakest link for roaming laptops has increasingly been the unguarded DNS lookup that decides where traffic goes before any content inspection can begin, and that gap has been hard to close off-network without breaking performance or user privacy. That is the context for an early access release bringing DNS Protection directly to Windows endpoints, extending last year’s network service into hotel Wi‑Fi, coffee shops, and home broadband. Once installed through Sophos Central, the lightweight agent quietly intercepts all DNS calls regardless of port or protocol, then tunnels them via DNS over HTTPS to the nearest resolver. There, every query meets policy and threat intelligence before it is allowed, redirected, or blocked, creating a transparent control point that travels with the user.
Policy, Privacy, And Attribution In One Move
The shift to an endpoint agent turned DNS policy from a perimeter setting into a personal guardrail. Category rules shaped access by risk and purpose, while custom domain lists handled edge cases like partner apps and sanctioned developer tools. Safe search enforcement applied consistently on major platforms such as Google and YouTube, reducing inadvertent exposure when devices left the corporate LAN. Crucially, enhanced logging stitched each query to a specific user and device, lifting the quality of XDR and MDR investigations and cutting time to triage when unusual beacons or typo‑squats surfaced. Encrypting lookups with DoH improved integrity and privacy, mitigating eavesdropping and cache poisoning attempts that still target legacy resolvers. The company noted that user/device attribution and DoH lived on the endpoint today, with firewall‑based identities and DoH arriving next, and that adoption of the network service was nearing its 600‑billionth query.
What Security Teams Did Next
For security leaders, the path forward had shifted from theory to execution. Pilot rollouts through Sophos Central had validated interception across ports and apps, with staged policies tuned for traveling users rather than branch offices. Teams mapped acceptable use categories, formalized allowlists for business‑critical domains, and enabled safe search where compliance demanded it. Roaming tests under hotel proxies and captive portals confirmed failover behaviors, while telemetry in XDR and MDR dashboards surfaced user‑level traces that previously vanished off‑network. Coexistence plans with firewalls accounted for identity gaps and the move to DoH on gateways, preventing policy drift. With encrypted DNS now the baseline and identity tied to each query, DNS control had shifted closer to zero‑trust principles, and the early access track had positioned organizations to expand coverage without trading away privacy, speed, or investigative depth.
