In this article

This article outlines how to deploy the Windows Roaming Client and includes links to deployment instructions for RMM/MDM tools, Active Directory, and PGP/GPG programs.

Deploying the Roaming Client is an easy solution if your ISP uses Carrier-Grade NAT because the agent bypasses the need for a known IP address altogether.

Confirm your OS version aligns with the Roaming Client functionality before attempting to deploy.

Environment Preparation

Preparing your network environment for deployment can prevent errors, misconfigurations, and internet connectivity issues. Use these articles to set yourself up for success.

• Prep your network for deployment by checking these common settings that can conflict with DNSFilter
• Prevent end-users from circumventing filtering policies in the firewall or Roaming Client configuration
• Consider other settings that can conflict with the agent like Firewalls, Security software, and Browser extensions
• Confirm VPN compatibility to ensure seamless inclusion in your security stack. VPN compatibility differs between Connection and Filtering Mode selections; consult these known conflicts and configuration setups for more details:
  • Classic DNS Filtering compatibility
  • DNS PreCheck compatibility

Install the Windows Roaming Client

Ensure devices are on and connected to the internet during the installation process.

Before installation, create a Site to associate with the Roaming Client.

Step one: Download installer and copy Site Key

1. From the DNSFilter dashboard, navigate to Deployments and select Roaming Clients
2. Select Install Roaming Client
3. Select the Site to associate with the agent
4. Choose the Roaming Client OS
5. Download the DNSFilter installer
6. Copy the Site Key

Step two: Run the installer

1. Run the installer package
   1. Paste in the Site Key when prompted by the installer.
   2. Click through the installer and agree to any security prompts

The Roaming Client is now active and filtering DNS requests. A tray icon will appear and show active status. See our Roaming Client troubleshooting articles if the tray icon shows an error (icon appears red or offline).

Step three: Update Connection and Filtering Mode (optional)

As of agent version 3.0.0, the Windows Roaming Client supports Connection and Filtering modifications to provide greater flexibility in how to protect roaming devices.

These settings apply to all supported agent versions connected to the Site’s Key and cannot be modified on an agent by agent basis at this time. Create a new Site to achieve more connection and filtering granularity.

Review DNS PreCheck Software Conflicts and Known Limitations before choosing that configuration mode.

✍️ This is an optional step: newly deployed agents default to Classic DNS Filtering mode.

1. From the Roaming Client page in the dashboard, open Control Center
2. Select Connection & Filtering Mode
3. Choose the configuration that fits the deployment:
   1. Classic DNS filtering. Enforces filtering at all times, ensuring strong security and privacy in fail-closed mode
   2. DNS PreCheck. Balances filtering and connectivity using PreCheck with fail-open mode
   3. Custom (Advanced). Allows administrators to define connection, filtering, and failover behavior directly

Once the configuration is saved, filtering and connectivity will operate according to the selected mode after the agent’s next check-in, typically within 5 minutes.

Confirm operating modes in the tray icon—Connection Mode and Filtering Mode should reflect the dashboard selections.

Step four: Test the connection

1. Verify the Roaming Client is active and filtering the desired categories by visiting debug.dnsfilter.com
2. Attempt to browse to a well-known domain that is allowed by the agent’s policy (i.e., google.com)
3. Attempt to visit a domain on the policy Block List in Incognito Mode

When deploying the agent to a team, DNSFilter recommends testing the policy with a small, mixed group of users (e.g. users from different departments, permission levels, or experience) to fine tune settings. Test for 1-2 days with multiple devices to ensure smooth operation before performing a mass deployment.

Send local DNS traffic to internal resources (optional)

Adding Local Domains is optional and only required for agents that use loopback-based routing.
When Local Domains are configured, the agent sends matching DNS queries to the internal DNS resolver instead of DNSFilter. This is helpful for networks with Split-Horizon DNS, internal-only domains, or corporate systems that return different IPs inside the LAN.

Loopback (Classic DNS Filtering) mode requires Local Domains and Local Resolvers configuration.

Transparent Proxy (DNS PreCheck) mode does not require this configuration. Internal DNS routing follows the DNS resolver provided by the device’s network or VPN.

Avoid filtering interruptions by enabling DoT

To prevent DNS interception or modification by third-party software or middleboxes, the Roaming Client can optionally use DNS-over-TLS (DoT) when communicating with DNSFilter. Enabling DoT improves reliability in environments where DNS traffic may be inspected, modified, or rate-limited.

DoT is only supported in Classic DNS Filtering agent mode. Using DoT ensures that filtered DNS traffic between the agent and DNSFilter remains encrypted and less vulnerable to interference.

The article on enabling DNS-over-TLS explains how to configure this feature for Roaming Clients.

Related deployment articles

Deploy the agent via Silent Install, Active Directory (Entra ID), RMM/MDM tool, or add an extra layer of protection with PGP/GPG programs.

• Windows Silent Install
• Active Directory
• Microsoft Intune
• Connectwise Automate
• Azure Virtual Machine
• Optional PGP/GPG deployment

⚡️ Bonus: Moving to DNSFilter from another filtering service? Our team wrote up onboarding materials for migrating to DNSFilter that can help streamline the process!

Learn more about Roaming Clients

• See our deployment options guide for a high-level overview of Roaming Clients
• Explore the technical details of Roaming Client components, proxies, and start up: all the ins and outs of how Roaming Clients work!
• Set yourself up for success by learning how to manage Roaming Clients from the DNSFilter dashboard
• Follow Roaming Client releases to stay up to date on our release notifications
• Use the uninstall guide to remove the Roaming Client from Windows devices individually or with RMM tools