Windows Roaming Client Troubleshooting

This guide is for troubleshooting any issues associated with the Roaming Client.

This guide assumes that the Tray Icon has been enabled at install time, which is contextually important for troubleshooting the Roaming Client.

If you are in the testing phase of deploying the Roaming Client, it’s recommended to keep the Tray Icon enabled until initial issues which prevent wider deployment are resolved.

If you are beyond the testing phase of deploying the Roaming Client and do not have the Tray Icon enabled, all troubleshooting steps will need to be followed.

Conflicting Software

This first thing to check when diagnosing problems with the Roaming Client is to check for software conflicts. Some software applications have a known conflict with the Roaming Client and their settings will need to be adjusted or turned off to ensure smooth operation.

Browsers, VPNs, and Security Software

Our Software Conflicts article has a list of software that we have identified will need to be adjusted for DNSFilter to work properly on your network and on Roaming Clients. Check this article to see if any of the applications listed are being used in your environment.

Hyper-V 

While the Hyper-V hypervisor itself or its virtual machines do not conflict with the Roaming Client, we have seen issues with some services that the Hyper-V system uses.  The chief culprit is the "Internet Connection Sharing" (ICS) service, which automatically runs a DNS server on 0.0.0.0:53 (all interfaces), which prevents the Roaming Client system service from being able to start.

The error logs for your agent will show an error about being unable to bind to port 53.

If the Roaming Client service (DNS Agent/DNSFilter Agent) starts BEFORE the ICS service, the ICS service can start with no issues, so as a work around there are two approaches:

1. You can stop the "Host Network Service" (HNS) service (required before you can stop the ICS service) and then stop the "Internet Connection Sharing" service, then start the Roaming Client service, and then restart the "Host Network Service" service (which will automatically restart the ICS service as well).

2. If you set the HNS and ICS services to "Delayed Start" as a startup type, this may give the RC service enough time to start before them on a reboot and avoid having to have manual stop/start of services to get the RC to run.

Windows Defender Application Guard

If you are not running any virtual machines, it could be that a Windows Defender feature called Application Guard (which uses Hyper-V) is turned on. This feature uses Hyper-V to open untrusted sites in an isolated container in the Microsoft Edge browser. If you run an environment where Edge is your primary browser, you may want to consider switching to Chrome Enterprise.

If Application Guard is in use, you may see the same behaviour as you do with the Hyper-V example above, and the issue can be resolved in a similar fashion, as the Application Guard service will also use ICS.

Microsoft NCSI

In exceptional situations, after the client is installed, Windows will display a limited network connectivity indicator (a yellow triangle) in the tray menu.

Limited Connectivity

Here are a few possible causes and solutions:

1. A limitation in NCSI - Microsoft’s Network Connectivity Status Indicator (NCSI) feature . Since the Fall 2017 Creator’s Update of Windows 10, this can be easily remedied by running the below line in an Administrative Command Prompt:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\Windows\NetworkConnectivityStatusIndicator" /v UseGlobalDNS /t REG_DWORD /d 1 /f

2. NCSI is blocked - Especially true if you have a heavily-restricted policy. Whitelist the domain msftncsi.com in your policy.

Whitelisting msftncsi.com

Conflicting Hardware

USB Wi-Fi and HotSpots

Most USB-based Wi-Fi and HotSpot devices enforce their own DNS servers on the network adapter that is created when plugged in. As a result, they will likely not be compatible. Testing is encouraged.

Juniper SRX Firewall

If you are using the Juniper SRX Firewall, DNS Doctoring will need to be disabled, which is only available in the Command Line Interface. More information available In Juniper’s Documentation

Roaming Client Malfunction

If you have checked for known software and hardware conflicts and believe that the Roaming Client is malfunctioning, there are a few troubleshooting steps that you can take:

Check Service Status (Started/Stopped)

The tray icon for the Roaming Client should be Blue or Green. If is is Red, this is an indication that the client is not actively filtering DNS queries. There may be a problem with the system service. Verify the status of the service by:

1. Press ⊞ Win + R to open the Run dialog. Type in services.msc and hit Enter.
2. Scroll down to the service called DNSFilter Agent or DNS Agent (MSP Version). You may also check this via the command-line using:

SC QUERY "DNSFilter Agent"

or for the MSP version below:

SC QUERY "DNS Agent"

The Agent status should be “started” and “running”. If the Agent is “stopped”, you can restart it from the services menu or by running:

SC START "DNSFilter Agent"

or for the MSP version below:

SC START "DNS Agent"

Check Port Bindings

In addition to checking the service status of the Roaming Client, you will want to check that no other applications are binding to DNS ports on the local machine (127.0.0.X:53).

You can discover this by running the following prompt command:

netstat -ban | findstr :53 

The image below illustrates the ideal output of the command. The first line shows that the local listen address and port (TCP) 127.0.0.2:53 is listening for connections from any address (0.0.0.0:0). The LISTENING message shows that this connection is actively bound by the Roaming Client and listening for traffic. The second line shows the same thing for UDP (although the connection is not active). **If there are other connections listening on 127.0.0.X:53, there may be a port binding conflict between that software and the Roaming Client.

Netstat showing proper Roaming Client binding

Check Transparent Proxying

If the service is started, and the Roaming Client ports are properly bound, you should check to see if DNS requests are being proxied on your network or by your ISP. Our Transparent Proxying article goes into detail on this subject.

Roaming Client Not Filtering

When the tray icon is a green or blue color, filtering should be occurring. If domains which should be blocked are not being blocked, there could be software or network settings which interfere with the DNS queries (usually the response, as opposed to the query).

VPNs

If using a VPN, try disabling the VPN to see if it’s interfering with the ability to filter DNS requests. You may need to contact support with the brand/version of the VPN to investigate further.

Windows Roaming Client Logs

Logging is enabled with the Windows Roaming Client by default. It is set up to hold 1 weeks worth of log files, and then delete the oldest one each time it gets to 7 log files.

Getting over these roaming client logs is one of the best ways for DNSFilter to diagnose the issue. If a computer with the Roaming Client installed is continually having an issue which can be replicated, please follow these steps:

- If your system tray icon is not hidden, you can click on it and “View Log File”

- If the system tracon icon is hidden please navigate to:

C:\Program Files\DNSFilter Agent\ 
or
C:\Program Files\DNS Agent\

Once you have the folder opened from either method above, please find and attach logs.txt to your ticket.

Providing logs is necessary if you are experiencing issues with the Roaming Client, such as:

• No DNS Resolution
• Failure to resolve local resources
• No Internet Connectivity
• Failure to start the System Service

Please send the logs to DNSFilter Support