If DNS Filtering is not controlling access to domains as intended, it may be a configuration or caching issue, browser setting conflict, missing system or network requirements, or missing domains from the allow list.
DNS activity and error messages are logged in the following files:
- C:\ProgramData\Malwarebytes Endpoint Agent\Logs\dnscrypt-proxy.log
- C:\ProgramData\Malwarebytes Endpoint Agent\Logs\mbdnsfilter.log
- C:\ProgramData\Malwarebytes Endpoint Agent\Logs\EndpointAgent.txt
Symptoms
Domains not filtered on the endpoint as configured:
- No domains are being filtered.
- Domains aren't filtered as expected after updating a DNS rule.
- Access to a domain is allowed but content is missing or loads slowly.
- Windows or Office365 not functioning properly.
- Domain is categorized as Unverified or other category.
Environments
- OneView
Causes and resolutions
Meet minimum requirements
Cause: Endpoints running the endpoint agent do not meet the minimum system requirements for DNS Filtering.
Resolution: Update the endpoint to a supported operating system for DNS Filtering. For more information, see Requirements for DNS Filtering.
Install minimum software component versions
Cause: The endpoint is not running the minimum software component versions for DNS Filtering.
Component |
Version |
Engine |
Minimum 1.2.0.974 |
Endpoint Service |
Minimum 1.2.0.530 |
Protection Service |
Minimum 4.5.8.191 |
Component Package |
Minimum 1.0.1666 |
Resolution: Update the software on the endpoint to the minimum component versions. For more information, see OneView endpoint software update May 5, 2022.
Missing DNS Content Filtering component
Cause: The DNS Content Filtering component is missing from the following locations:
- Endpoint Overview and Agent Information in OneView.
- The Endpoint Agent About window. To access, right-click the system tray icon on the endpoint.
Resolution: Check the following:
- The endpoint is communicating with Nebula. For more information, see Network access requirements and firewall settings for OneView.
- The endpoint is in the correct group.
- The group is assigned the correct policy.
- The DNS rule has the correct policy included.
- The mbdnsfilter and dnscript-proxy services are running and not suppressed by other security products. For more information, see the following:
DNS over HTTPS (DoH) bypassing DNS Filtering
Cause: Windows DNS over HTTPS (DoH) and browser DoH settings bypassing DNS Filtering.
Resolution: Disable Windows and browser DoH settings. For more information, see Requirements for DNS Filtering in OneView.
Microsoft Edge default settings modified
Cause: Microsoft Edge settings were changed from their default values.
Resolution: Disable the following Microsoft Edge settings:
- SmartScreen DNS Requests (SmartScreenDnsRequestsEnabled): This is used to send DNS requests to SmartScreen to detect nefarious websites.
- DNS over HTTPS Mode (DnsOverHttpsMode): This disables the internal DNS within Microsoft Edge over HTTPS connections.
- Built-in DNS Client (BuiltInDnsClientEnabled): This also disables internal DNS within Microsoft Edge.
- DNS Interception Checks (DNSInterceptionChecksEnabled): This is a security feature that stops DNS proxies from working; they may redirect unsuspecting users to nefarious websites.
- Network Prediction (NetworkPredictionOptions): This controls DNS prefetching, TCP and SSL preconnection, and prerendering of web pages.
Browser cache retaining block result
Cause: The domain may have been allowed or blocked prior to adjusting any DNS rules and the results are cached.
Resolution: Flush your Windows and browser cache.
- Windows
- Run cmdprompt as an administrator.
- Type ipconfig /flushdns and press enter.
- Chrome
- Firefox
- Edge
System time incorrect
Cause: System time on the endpoint is not correct.
Resolution: Adjust your system time to accurately reflect the current time.
Content hosted and blocked under additional domains
Cause: Content may be hosted under a different domain not included in the Allow List.
Resolution: Identify and add missing domains to the Allow List.
- In the left navigation menu, go to Monitor > DNS Filtering.
- Under the Outcome column, filter results by Block.
- Under the Endpoint column, filter results by the endpoint experiencing the issue.
- Identify additional domains that need to be added to the Allow List.
- Update the allow list for each rule as required.
Domain is blocked as Unreachable
Cause: Domain is unexpectedly blocked.
Resolution: Review the block details and perform one of the following tasks:
- Check the DNS activity page and update the affected DNS rule:
- In the left navigation menu, go to Monitor > DNS Filtering.
- Under the Outcome column, filter results by Block.
- Under the Endpoint column, filter results by the endpoint experiencing the block.
- Note each category listed under the category column for the blocked domain.
- If the category displays the Unreachable category, this may be because the DNS lookup resolution of a parent CNAME fails. A missing record will result in the child domain being categorized as Unreachable.
- Check that the domain and its parents have valid CNAME records.
- If the category displays the Unreachable category, this may be because the DNS lookup resolution of a parent CNAME fails. A missing record will result in the child domain being categorized as Unreachable.
- Remove these categories from the affected DNS rule or add the blocked domain to the allow list of the DNS rule.
- Send feedback to Cloudflare.
Microsoft services blocked
Cause: Microsoft services are included in the blocked categories of the DNS rule.
Resolution: Add the following domains to the allow list or global exclusions.
Domain | Categories | Description |
www.msftconnectiontest.com ip6.msftconnectiontest.com |
Technology > Content Servers | Allows Windows to report in the System Tray that there is an internet connection. |
windowsupdate.com | Business > Business Technology > Information Technology | Allows Windows to update. |
client.wns.windows.com cns.msftcsi.com time.windows.com portal.office.com siscr.update.com edgedl.me.gvt1.com www.microsoft.com outlook.office365.com officeclient.microsoft.com rms.na.aadrm.com |
Ads > Advertisements Business > Business Internet Communication > Webmail Technology > APIs Technology > Content Servers Technology > Information Technology Technology > Technology |
Services used for Office365 registration, license, validation, profile lookup, etc. |
Return to DNS Filtering.