Once you've configured your DNS Filtering rules and applied them to a policy in Nebula, a plugin is installed across endpoints assigned with the policy. The installed plugin monitors your network traffic and blocks access to restricted categories set in your DNS Filtering rule.
We recommend creating a test DNS Filtering rule against a small number of endpoints before a broader deployment:
- Create a test policy called DNS Test Policy.
- Create a test group called DNS Test Group with the test policy assigned.
- Create a DNS Filtering Rule with the test policy assigned.
- Move an endpoint into the test group.
- The DNS plugin should download immediately and be visible in the console.
- Go to Manage > Endpoints.
- Click on the endpoint that was moved.
- Confirm the DNS Content Filtering plugin is in the Agent and plugins section.
- If the plugin is not displayed, see Troubleshoot DNS Filtering in Nebula.
- The DNS plugin should download immediately and be visible in the console.
- Monitor the DNS Filtering activity dashboard for blocked and allowed DNS lookups.
- Modify the rule to add Categories, and Allow or Block specific domains as required.
If you want to locally test your endpoints to verify the module plugin is installed and working, use the following DNS Filtering category links in the table below.
Test URLs
Category | Test Link |
Malware |
https://malware.testcategory.com |
Phishing |
https://phishing.testcategory.com |
Cryptomining |
https://cryptomining.testcategory.com |
Anonymizing |
https://anonymizing.testcategory.com |
Command and Control & Botnet |
https://commandandcontrolandbotnet.testcategory.com |
New Domains |
https://newdomains.testcategory.com |
Spam |
https://spam.testcategory.com |
Spyware |
https://spyware.testcategory.com |
If a block page does not appear, verify your DNS Filtering configuration or check the status of the installed services.
Check service status
To verify the services are installed and running:
- Open Command Prompt as an administrator
- Run sc query mbdnsfilter
- Run sc query dnscrypt-proxy
Note: If the services are missing or domains are still not being filtered properly, see Troubleshoot DNS Filtering in Nebula.
Return to Nebula DNS Filtering guide.