DNSFilter Knowledge Base

Windows Roaming Client Troubleshooting

This guide is for troubleshooting any issues associated with the Roaming Client.

This guide assumes that the Tray Icon has been enabled at install time, which is contextually important for troubleshooting the Roaming Client.

If you are in the testing phase of deploying the Roaming Client, it's recommended to keep the Tray Icon enabled until initial issues which prevent wider deployment are resolved.

If you are beyond the testing phase of deploying the Roaming Client and do not have the Tray Icon enabled, all troubleshooting steps will need to be followed.

Conflicting Software

This first thing to check when diagnosing problems with the Roaming Client is to check for software conflicts. Some software applications have a known conflict with the Roaming Client and their settings will need to be adjusted or turned off to ensure smooth operation.

Browsers, VPNs, and Security Software

Our Software Conflicts article has a list of software that we have identified will need to be adjusted for DNSFilter to work properly on your network and on Roaming Clients. Check this article to see if any of the applications listed are being used in your environment.

Hyper-V and Windows Defender Application Guard

Hyper-V cannot be installed on the machine. Hyper-V automatically runs a DNS server on 0.0.0.0:53 (all interfaces), which prevents the Roaming Client system service from being able to start. You''ll have to examine the reason that Hyper-V is installed and if you are running any virtual machines. You can check if Hyper-V is installed by running:

SC QUERY vmms

If this service is active and running, you can uninstall Hyper-V using the following Powershell command:

Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All

If you are not running any virtual machines, it could be that a Windows Defender feature called Application Guard (which uses Hyper-V) is turned on. This feature uses Hyper-V to open untrusted sites in an isolated container in the Microsoft Edge browser. If you run an environment where Edge is your primary browser, you may want to consider switching to Chrome Enterprise.

If Application Guard is in use you can disable it with the following command (you'll also need to disable Hyper-V itself, using the command above):

Disable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard

Microsoft NCSI

In exceptional situations, after the client is installed, Windows will display a limited network connectivity indicator (a yellow triangle) in the tray menu.

Limited Connectivity

Here are a few possible causes and solutions:

  1. A limitation in NCSI - Microsoft's Network Connectivity Status Indicator (NCSI) feature . Since the Fall 2017 Creator's Update of Windows 10, this can be easily remedied by running the below line in an Administrative Command Prompt:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\Windows\NetworkConnectivityStatusIndicator" /v UseGlobalDNS /t REG_DWORD /d 1 /f
  1. NCSI is blocked - Especially true if you have a heavily-restricted policy. Whitelist the domain msftncsi.com in your policy.

Whitelisting msftncsi.com

Conflicting Hardware

USB Wi-Fi and HotSpots

Most USB-based Wi-Fi and HotSpot devices enforce their own DNS servers on the network adapter that is created when plugged in. As a result, they will likely not be compatible. Testing is encouraged.

Juniper SRX Firewall

If you are using the Juniper SRX Firewall, DNS Doctoring will need to be disabled, which is only available in the Command Line Interface. More information available In Juniper's Documentation

Roaming Client Malfunction

If you have checked for known software and hardware conflicts and believe that the Roaming Client is malfunctioning, there are a few troubleshooting steps that you can take:

Check Service Status (Started/Stopped)

The tray icon for the Roaming Client should be Blue or Green. If is is Red, this is an indication that the client is not actively filtering DNS queries. There may be a problem with the system service. Verify the status of the service by:

  1. Press ⊞ Win + R to open the Run dialog. Type in services.msc and hit Enter.
  2. Scroll down to the service called DNSFilter Agent or DNS Agent (MSP Version). You may also check this via the command-line using:
SC QUERY "DNSFilter Agent"

or for the MSP version below:

SC QUERY "DNS Agent"

The Agent status should be "started" and "running". If the Agent is "stopped", you can restart it from the services menu or by running:

SC START "DNSFilter Agent"

or for the MSP version below:


SC START "DNS Agent"

Check Port Bindings

In addition to checking the service status of the Roaming Client, you will want to check that no other applications are binding to DNS ports on the local machine (127.0.0.X:53).

You can discover this by running the following prompt command:

netstat -ban | findstr :53 

The image below illustrates the ideal output of the command. The first line shows that the local listen address and port (TCP) 127.0.0.2:53 is listening for connections from any address (0.0.0.0:0). The LISTENING message shows that this connection is actively bound by the Roaming Client and listening for traffic. The second line shows the same thing for UDP (although the connection is not active). **If there are other connections listening on 127.0.0.X:53, there may be a port binding conflict between that software and the Roaming Client.

Netstat showing proper Roaming Client binding

Check Transparent Proxying

If the service is started, and the Roaming Client ports are properly bound, you should check to see if DNS requests are being proxied on your network or by your ISP. Our Transparent Proxying article goes into detail on this subject.

Roaming Client Not Filtering

When the tray icon is a green or blue color, filtering should be occurring. If domains which should be blocked are not being blocked, there could be software or network settings which interfere with the DNS queries (usually the response, as opposed to the query).

FIPS Compliance

Windows has a Local Security Policy that is usually enabled by default that enforces the use of FIPS compliant cryptographic algorithms - For a long time this was the recommended course of action, and still is, but Microsoft has acknowledged that it may not be always necessary and can sometimes cause issues with some applications.

One of the points made by Microsoft surrounding FIPS and the one that is relevant to our situation is "Finally, the .NET Framework’s enforcement of FIPS mode cannot tell whether any particular use of a cryptographic class is not for security purposes and thus not in violation of standards."

The DNSFilter Agent uses a cryptographically insecure algorithm (MD5) to generate the ID for each machine the agent is installed on. There is no security implications in this action and it poses no risk, however, because it is still technically an insecure algorithm, it does not conform to FIPS standards, and Windows prevents it from running.

If you are unable to disable the FIPS Enforcement Policy on your machine(s), at this time, the Roaming Client cannot be used. There is an update planned for the future that will resolve this, but as of right now it has not been completed.

If you are not required to have FIPS Compliance enabled, you can disable it in one of the following ways:

  1. Via Control Panel:
    · In Control Panel, click Administrative Tools, and then double-click Local Security Policy.
    · In Security Settings, expand Local Policies, and then click Security Options.
    · Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Disabled.

  2. Via Registry:
    Ensure that the HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled Key is set to 0.
    You may also see HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled which will also need to be set to 0.

VPNs

If using a VPN, try disabling the VPN to see if it's interfering with the ability to filter DNS requests. You may need to contact support with the brand/version of the VPN to investigate further.

Juniper SRX (DNS Doctoring)

If you are using the Juniper SRX Firewall, DNS Doctoring will need to be disabled, which is only available in the Command Line Interface. More information available In Juniper's Documentation

If neither of these apply, please review the Enabling Logging section below.

Enabling Logging

Enabling and sending DNSFilter Support the logs is the best way for DNSFilter to diagnose the issue. If a computer with the Roaming Client installed is continually having an issue which can be replicated, please follow these steps:

  1. Open the Wordpad application as an Administrator.
  1. Open the following file in Wordpad: C:\Program Files\DNSFilter Agent\DNS Agent.exe.config
    -> The file will likely only display as "DNS Agent.exe" - without the appended .config extension
    -> *If you are an MSP, the folder will be: C:\Program Files\DNS Agent*

  2. Look for the following block of code in the file:
    <file value=""/>

Add your preferred logfile location and name between the double quotes:
<file value="C:\DNSLog.txt"/>

  1. Locate the following block of code:
    <level value="INFO"/>

Change the log level value to DEBUG:
<level value="DEBUG"/>

  1. Save the file.

  2. Open the Services application and locate DNSFilter Agent (MSPs: DNS Agent) and stop/start the service:

Once the problematic experience has been experienced, such as:

  • No DNS Resolution
  • Failure to resolve local resources
  • No Internet Connectivity
  • Failure to start the System Service

Please send the logs to DNSFilter Support

Updated 2 months ago

Windows Roaming Client Troubleshooting


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.