Skip to main content

Custom block pages for DNS Filtering not displaying - Nebula

Updated: 

Issue

The custom block pages configured for DNS Filtering are failing to appear. Users instead see browser warnings for insecure connections such as:

NET::ERR_CERT_AUTHORITY_INVALID

Environments

  • Windows
  • macOS
  • Nebula

Cause

Our DNS Filtering module includes an extension that relies on a certificate from our vendor integrated solution, which is used to display block pages when a blocked domain is visited. The certificate expired on February 2, 2025.

Network traffic continues to be allowed and blocked as expected, however, custom block pages do not display.

Resolution

A hot fix released for Windows endpoints on February 6, 2025, and for macOS endpoints on February 10, 2025 to update the certificate. This update is being rolled out over time. To expedite the update process:

  1. Log in to Nebula.
  2. Go to Manage > Endpoints.
  3. Select your endpoints.
  4. Go to Actions > Check for Agent Updates.

This issues a command to the endpoint to download and install the update within 72 hours. If the endpoint remains offline for 72 hours, the task will expire and needs to be reissued.

To check if the update is installed:

  1. Go to an affected endpoint.
  2. Open the About window:
    • Windows: Hold control and right-click on the ThreatDown agent icon in the system tray.
    • macOS: Hold control and click on the ThreatDown agent icon in the menu bar.
  3. Click About.
  4. Verify the DNS Filtering Proxy Service displays the new version:
    • Windows: 2.1.88
    • macOS: 1.7.39

Trust new macOS certificate

The new certificate must be trusted by the operating system on macOS in order for it to take effect. This can be done individually from the endpoint or in bulk by using a Mobile Deployment Management (MDM) tool.

Use an MDM

Download the Threatdown Protection - DNS certificate.mobileconfig at the bottom of this article and upload it to your MDM. This allows you to trust the new certificate for your fleet of macOS endpoints without needing to visit each one individually or send the instructions to your users.

Manually trust certificate

If you don't use an MDM, follow the steps below to manually trust the certificate:

  1. Open Keychain Access.
  2. Go to System > Certificates.
  3. Double-click your certificate. The default Cloudflare certificate is named Cloudflare for Teams ECC Authority.
  4. Select Trust
  5. When using this certificate to Always Trust.

For more information, see Change the trust settings of a certificate in Keychain Access on Mac.

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more