Skip to main content
Skip table of contents

Protect Resolver Deployment

Overview

The HYAS Protect Resolver deployment method applies DNS-layer protection at the network level, routing DNS traffic through HYAS’s secure Anycast resolvers. This allows organizations to enforce DNS security policies without installing an endpoint agent.

This method is ideal for office environments, branch networks, or fixed-location deployments where devices consistently use corporate network infrastructure.

Prerequisites

  • You have access to modify DNS settings on your network (e.g., DHCP scope, firewall rules, local DNS servers)

  • Devices on the target network are not hardcoded to alternate DNS servers

  • Your firewall allows outbound DNS traffic (UDP and TCP on port 53) to the HYAS Protect resolver IPs

Key Features, Benefits & Considerations

Features, Benefits

Considerations

No Agent installation required.

Does not provide user or device attribution

Protects all devices using the resolver

No off-network protection

Ideal for office networks and IoT devices

No Local DNS, Split-Horizon or Safe Search capabilities

Source Network policy enforcement

Policies apply at network level, not per suer group.

Minimal maintenance

Fast rollout

HYAS Protect Resolver Deployment and Configuration Overview

Deploying HYAS Protect via Resolver involves two key components: configuring your local infrastructure and configuring Source Networks within the HYAS Protect Portal. Both steps are essential to ensure DNS queries are correctly routed to HYAS and that policies are accurately applied to the right parts of your network.

  • Local infrastructure configuration refers to updating your DNS settings—typically in your DHCP server, router, or firewall—to direct outbound DNS traffic to HYAS Protect’s Anycast DNS resolvers. This ensures that devices on your network send DNS queries through HYAS for inspection and enforcement.

  • Source Network configuration tells HYAS Protect how to recognize traffic from different parts of your network. By defining source networks (typically based on external IPs or NAT ranges), you enable HYAS to apply the correct DNS policies, tag queries appropriately, and display traffic visibility in a meaningful way.

These two steps work together to enable agent-less, network-wide DNS protection—ideal for offices, branch locations, and fixed environments. The sections that follow will walk you through each in detail.

Local Infrastructure Configuration

Update your DNS settings to route traffic through HYAS’s Anycast DNS resolvers.

To do this:

  1. Log in to your DHCP server, router, firewall, or internal DNS infrastructure.

  2. Locate the DNS settings for the subnet or VLAN you want to protect.

  3. Replace the current DNS resolver IPs with the following HYAS Anycast IPs:

    • Primary: 68.220.41.83

    • Secondary: 68.220.41.134

  4. Save and apply changes.

  5. Reboot or renew IP leases on client devices, if needed, to ensure they pick up the new DNS settings.

HYAS uses Anycast routing, so these IPs will automatically direct queries to the nearest and best-performing resolver node, ensuring speed, uptime, and redundancy.

Configure Source Networks in the HYAS Portal

HYAS Protect needs to know which DNS queries belong to which organization so it can apply the correct settings and policies.

To do this:

  1. Go to apps.hyas.com and log in with your admin credentials.

  2. In the left navigation menu, go to Source Network Management.

  3. Click Source Network + to create a new source network

  4. Enter the public IP address(es) or CIDR block(s) that your DNS traffic will be coming from.
    These should be the external IPs your network presents to the internet when sending DNS queries.

  5. Name your Source Network for easy future reference.

  6. Save your changes.

This step ensures HYAS Protect correctly identifies your DNS traffic and applies the right policies, logging, and enforcement logic.

Resolver Deployment Checklist & Verification

Use this checklist to confirm that your HYAS Protect Resolver deployment is fully configured and operating as expected. These steps ensure DNS traffic is properly routed through HYAS and that visibility and enforcement are functioning correctly.

  • Local Infrastructure Configured
    DNS settings (e.g., DHCP, router, firewall) are updated to point to HYAS Protect’s Anycast resolvers
  • Source Networks Defined
    Public IPs or CIDR blocks have been added in the HYAS Portal under Source Network Management
  • DNS Traffic Visible in Log View
    DNS queries from your network appear in the HYAS Protect Log View interface, confirming traffic is reaching the platform
  • Enable Blocking Mode (Optional)
    By default, the HYAS Protect Resolver is in Inspection Mode (non-blocking). Enable Protection Mode (blocking) of you wish to block queries at the resolver level.

Configuring Policies

Now that you’ve successfully deployed HYAS Protect, your environment is already safeguarded against malicious domains—including phishing sites, malware delivery networks, and command-and-control (C2) infrastructure (among others). These threats are blocked by default using HYAS’s infrastructure intelligence and real-time decision engine.

If you'd like to customize your protection further, you can configure additional policies—such as blocking unwanted content categories, managing allow/block lists, or tailoring behavior by source network or user group. [Learn how to configure policies →]

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close