Issue
Web Protection conflicting with DNS servers.
Environments
- Windows DNS Servers
Symptoms
- DNS lookups for workstations and servers fail.
- Endpoints are not reporting blocked web detections.
Cause
The Web Protection layer is not supported on DNS servers. For more information on supported layers for different Windows Server roles, see Configure Nebula for Windows server roles.
Resolution
There are two possible resolutions for this scenario.
- Option 1
- Disable the Web Protection layer in the corresponding DNS servers Nebula policy.
Note: It is recommended to only disable Web Protection for the intended endpoint. For maximum protection of endpoints, ensure that the DNS server is in a separate group and policy with Web Protection disabled. For more information, see Overview of policies and groups in Nebula.
- Disable the Web Protection layer in the corresponding DNS servers Nebula policy.
- Option 2
- Keep Web Protection enabled, but use a Web Monitoring exclusion in Nebula for the DNS executable path. This exclusion would allow DNS to continue performing lookups but would also protect the servers from other processes via the real-time Web Protection layer.
- In Nebula, go to Configure > Exclusions.
- Click New exclusion.
- Enter the value C:\Windows\System32\dns.exe and click Validate.
- Change the Type to Web Monitoring.
- Click Save.
- Keep Web Protection enabled, but use a Web Monitoring exclusion in Nebula for the DNS executable path. This exclusion would allow DNS to continue performing lookups but would also protect the servers from other processes via the real-time Web Protection layer.