If DNS Filtering is not controlling access to domains as intended or blocking Microsoft services, it may be a configuration or caching issue, browser setting conflict, missing system or network requirements, or missing domains from the allow list.
DNS activity and error messages are logged in the following files:
- C:\ProgramData\Malwarebytes Endpoint Agent\Logs\dnscrypt-proxy.log
- C:\ProgramData\Malwarebytes Endpoint Agent\Logs\mbdnsfilter.log
- C:\ProgramData\Malwarebytes Endpoint Agent\Logs\EndpointAgent.txt
Symptoms
Domains not filtered on the endpoint as configured:
- No domains are being filtered.
- Domains aren't filtered as expected after updating a DNS rule.
- Access to a domain is allowed but content is missing or loads slowly.
- Windows or Office365 not functioning properly.
- A domain is blocked unexpectedly or categorized as Unreachable.
Environments
- Nebula
Causes and resolutions
Meet minimum requirements
Cause: Endpoints running the endpoint agent do not meet the minimum system requirements for DNS Filtering.
Resolution: Update the endpoint to a supported operating system for DNS Filtering. For more information, see Requirements for DNS Filtering in Nebula.
Install minimum software component versions
Cause: The endpoint is not running the minimum software component versions for DNS Filtering.
Component |
Version |
Engine |
Minimum 1.2.0.974 |
Endpoint Service |
Minimum 1.2.0.530 |
Protection Service |
Minimum 4.5.8.191 |
Component Package |
Minimum 1.0.1666 |
Resolution: Update the Nebula software on the endpoint to the minimum component versions. For more information, see Nebula endpoint software update May 5, 2022.
Missing DNS Content Filtering component
Cause: The DNS Content Filtering component is missing from the following locations:
- Endpoint Overview and Agent Information in Nebula.
- The Endpoint Agent About window. To access, right-click the system tray icon on the endpoint.
Resolution: Check the following:
- The endpoint is communicating with Nebula. For more information, see Network access requirements and firewall settings for Nebula.
- The endpoint is in the correct group.
- The group is assigned the correct policy.
- The DNS rule has the correct policy included.
- The mbdnsfilter and dnscrypt-proxy services are running and not suppressed by other security products. For more information, see the following:
DNS over HTTPS (DoH) bypassing DNS Filtering
Cause: Windows DNS over HTTPS (DoH) and browser DoH settings bypassing DNS Filtering.
Resolution: Disable Windows and browser DoH settings. For more information, see Requirements for DNS Filtering in Nebula.
Microsoft Edge default settings modified
Cause: Microsoft Edge settings were changed from their default values.
Resolution: Change the following Microsoft Edge settings back to their default values:
- Disable Microsoft Defender SmartScreen: This is used to send DNS requests to SmartScreen to detect nefarious websites.
- Disable Use secure DNS to specify how to lookup the network address for sites: This disables the internal DNS within Microsoft Edge over HTTPS connections.
- Set Tracking prevention to Balanced: This blocks trackers from sites you haven't visited.
- Disable Preload pages for faster browsing and searching: This controls DNS prefetching, TCP and SSL preconnection, and prerendering of web pages.
For more information, see How to manage your privacy settings in Microsoft Edge.
Browser cache retaining block result
Cause: The domain may have been allowed or blocked prior to adjusting any DNS rules and the results are cached.
Resolution: Flush your Windows and browser cache.
- Windows
- Run cmdprompt as an administrator.
- Type ipconfig /flushdns and press enter.
- Chrome
- Firefox
- Edge
System time incorrect
Cause: System time on the endpoint is not correct.
Resolution: Adjust your system time to accurately reflect the current time.
Content hosted and blocked under additional domains
Cause: Content may be hosted under a different domain not included in the Allow List.
Resolution: Identify and add missing domains to the Allow List.
- In the left navigation menu, go to Monitor > DNS Filtering.
- Under the Outcome column, filter results by Block.
- Under the Endpoint column, filter results by the endpoint experiencing the issue.
- Identify additional domains that need to be added to the Allow List.
- Update the allow list for each rule as required.
Domain is blocked as Unreachable
Cause: Domain is unexpectedly blocked or categorized as Unreachable.
Resolution: Review the block details and perform one of the following tasks:
- Check the DNS activity page and update the affected DNS rule:
- In the left navigation menu, go to Monitor > DNS Filtering.
- Under the Outcome column, filter results by Block.
- Under the Endpoint column, filter results by the endpoint experiencing the block.
- Note each category listed under the category column for the blocked domain.
- If the category displays the Unreachable category, this may be because the DNS lookup resolution of a parent CNAME fails. A missing record will result in the child domain being categorized as Unreachable.
- Check that the domain and its parents have valid CNAME records.
- If the category displays the Unreachable category, this may be because the DNS lookup resolution of a parent CNAME fails. A missing record will result in the child domain being categorized as Unreachable.
- Remove these categories from the affected DNS rule or add the blocked domain to the allow list of the DNS rule.
- Send feedback to Cloudflare.
Microsoft services blocked
Cause: Microsoft services are included in the blocked categories of the DNS rule.
Resolution: Add the following domains to the allow list or global exclusions.
Domain | Categories | Description |
www.msftconnectiontest.com ip6.msftconnectiontest.com |
Technology > Content Servers | Allows Windows to report in the System Tray that there is an internet connection. |
windowsupdate.com |
Business & Economy > Business Technology > Information Technology |
Allows Windows to update. |
client.wns.windows.com cns.msftcsi.com time.windows.com portal.office.com siscr.update.com edgedl.me.gvt1.com www.microsoft.com outlook.office365.com officeclient.microsoft.com rms.na.aadrm.com |
Ads > Advertisements Business > Business Internet Communication > Webmail Technology > APIs Technology > Content Servers Technology > Information Technology Technology > Technology |
Services used for Office365 registration, license, validation, profile lookup, etc. |
Return to Nebula DNS Filtering guide.