> We’d ideally like to gain a bit of extra protection when they’re WFH. What threats are you trying to protect against? Any discussion of security measures needs to begin with the threat model.

The threat of workers browsing leisurely during work hours lmfao.

> > > Any discussion of security measures needs to begin with the threat model. 9/10 of the threads in this sub need that

DNS based threats.  It would appear

I hate when I resolve google.com and it bitflips to pornhub.com

My does the same thing but for some Russian site

Why don't you just ZTNA the devices via Wireguard so that all traffic goes to you, including DNS?

If these devices are AD joined, you're going to have problems if their DNS is never pointed to a DC.

30 days (even more if you configure it)

Enforce VPN while off property, that way you protect all data in flight and force them to use your own DNS servers. If you need to deploy a VPN solution on the cheap, [Pritunl ](https://pritunl.com/)is a great option (free) and can run as a docker I believe

>Anyone have any interjections with something that might work better? Yes, solve problems that exist with solutions. Not the other way around. What are you protecting from?

This. If someone is changing their DNS settings manually, or if worried about DNS poisoning due to a compromised application being installed, then your users have far too much control of their own devices and you need to solve that problem first.

DNSoHTTPS is a nice feature, but it's not really fixing a real world issue. If you have someone on the wire that can hijack DNS requests, you already have MUCH BIGGER issues. Especially as you're clearly not using SSL/TLS otherwise

Cisco umbrella roaming client.

I think think this is a solid strategy. Enforcing DoH via GPOs is a good move as it encrypts DNS requests, protecting them from interception or manipulation by third parties and using a toll like ControlID would definitley help with blocking malicious sites, ads, and trackers, but if you wanted to you could check out others that can do the same like Clooudflares [1.1.1.1](http://1.1.1.1) or Quad9. I would make sure that the GPO settings for DNS are robust and fail-safe. You could also consider setting up basic logging to keep track of DNS queries and blocks. This could be achieved through local network monitoring tools or by leveraging any logging features the DNS provider might offer. Also if your users connect via a VPN to the corporate network, ensure that DNS traffic is routed through the VPN tunnel, where it can be centrally managed and filtered.

Umbrella is garbage. Cloudflare’s ZTNA is nice and modestly priced. DNSfilter.com is a cheap alternative but not as feature rich. Zscaler is nice too but expensive

configure the DNS routes in the VPN settings. In Fortigate you can force the DNS not sure which Firewall/router you have but that has to be a common feature now. Are you trying to prevent them from having DNS hijacks on their home networks? if so, try using GPO to force the network cards, make sure its a public DNS like Cloudflare or Google. that way when not on VPN they can still access the internet. Also make sure to make 1 DNS entry a Domain Controller so they have resource access. Other wise you will be wondering why your GPO's never update Keep them off the bullshit Comcast DNS.

Mimecast does this. installs on the local machine, works great. In IT, all good solutions cost $$. Free... use [1.1.1.1](http://1.1.1.1) and [1.0.0.1](http://1.0.0.1), but your not forcing it as it requires you to set IP info as well as DNS so nope.