Website not being blocked by DNS Filtering

This guide addresses cases where a website expected to be blocked by ThreatDown DNS Filtering remains accessible (e.g., no block page appears, site loads normally). DNS Filtering blocks domains based on categories, custom lists (domains/IPs), or rules, but misconfigurations, missing components, or bypasses can prevent blocking.

Key Concepts:

• DNS Filtering intercepts DNS queries via the DNS Content Filtering plugin and services (mbdnsfilter, dnscrypt-proxy).
• It requires proper policy assignment, rule configuration, plugin installation, service operation, and no conflicting browser settings.
• For reference, see: Troubleshoot DNS Filtering in Nebula, Requirements for DNS Filtering in Nebula, Test DNS Filtering in Nebula.

Before Starting:

• Confirm the endpoint is online in the console and communicating.
• Test the site from the affected endpoint (not a different device/network).
• Note the exact URL/domain and check if it's blocked when using a mobile hotspot instead of your current network

Resolution

Work through the following tasks in order until the issue is resolved.

Task 1: Verify Policy Assignment

DNS Filtering only applies if the endpoint uses a policy with an active DNS rule.

1. In the console, go to Manage > Endpoints.
2. Search for the endpoint.
3. Check and note the endpoint's policy in the Policy column (if hidden: Click Add/Remove columns > enable Policy).
4. Go to Monitor > DNS Filtering > Rules tab.
5. Locate the endpoint's policy in the Policies column.
6. Verify the DNS Filtering rule is correct and enabled.
   • If not, edit the rule to include the policy, or move the endpoint to the correct group and policy

Task 2: Verify DNS Filtering Rule Configuration

Blocking occurs via one of three methods — ensure at least one applies to the site.

1. In Monitor > DNS Filtering > Rules tab, open your rule.
2. Blocked Categories:
   • In the Block List section, verify relevant Content or Security categories are selected (e.g., Gambling, Adult, Malware).
   • To check a site's category, use the ThreatDown Domain Categorization tool in the top-right. Enter the domain and see the assigned categories.
   • If mismatched: Add the correct category to Block List.
3. Custom Domain/URL Blocks:
   • Check Block List for exact matches: subdomain (e.g., bad.example.com), domain (example.com), or TLD (*.example.com).
   • Add if missing (supports FQDN or partial; single-label domains not supported).
4. IP Address Blocks:
   • If the site resolves to a known IP, add the IP address to the Block List.
   • Note: DNS Filtering primarily targets domains; IP blocks help for direct IP access or resolution bypasses.
5. Save rule changes and force a sync. Go to Endpoints > select affected endpoints > Actions > Check for Protection Updates.

Task 3: Verify DNS Content Filtering Plugin is Installed

The plugin enables DNS interception.

• Console Check:
  1. Go to Endpoints > click endpoint name > pop-out details.
  2. Under Agent and plugins, confirm DNS Content Filtering is listed.
• Local Check (Windows):
  1. Hold Ctrl + right-click ThreatDown tray icon > About.
  2. Look for DNS Content Filtering.
• If Missing: See Missing DNS Content Filtering component
  • Common fixes: Reinstall agent, check requirements, force agent update.

Task 4: Verify DNS Filtering Services are Running (Windows)

1. Open Command Prompt as Administrator.

2. Run:

   sc query mbdnsfilter

   sc query dnscrypt-proxy

3. Both should show STATE: 4 RUNNING.
   • If missing/not running: Likely fails minimum requirements (e.g., unsupported OS, missing components).
   • Check Requirements for DNS Filtering in Nebula:
     • Supported OS (e.g., Windows 10/11, specific servers).
     • Active subscription (Incident Response, Endpoint Protection, or EDR).
     • No single-label domains in rules.
   • Restart services if stopped: sc start mbdnsfilter, etc.
   • If persistent: Reinstall agent or contact support.

Task 5: Disable DNS over HTTPS (DoH) / Secure DNS in Browsers

Browsers bypassing system DNS (via DoH) can evade filtering.

• Chrome/Edge:
  • Settings > Privacy and security > Security > Use secure DNS > Turn off (or set to system provider).
• Firefox:
  • Settings > General > Network Settings > Enable DNS over HTTPS > Off.
• Other Browsers: Check documentation for "Secure DNS" or "DoH" settings.
• Test in Incognito/Private mode after changes.

Task 6: Additional Checks and Escalation

• Clear DNS cache: ipconfig /flushdns (Windows) or restart browser/machine.
• Test rule: Try a known blocked test domain (e.g., if category blocked, use a site in that category).
• If still not blocking:
  1. Enable debug logging
  2. Reproduce access attempt.
  3. Collect endpoint diagnostic logs
  4. Contact ThreatDown support
  5. Provide support with the rule details, endpoint info (OS/agent version), logs, site URL,and  category lookup.

Temporary Workaround (if urgent block needed):

• Add the domain/IP explicitly to Block List and re-test.
• Use Web Protection exclusions cautiously (not for DNS).

DNS Filtering issues often resolve with policy/rule verification or plugin/service checks.