In this article

DNSFilter supports DNS-over-TLS (DoT) in our Roaming Clients and DNS Relay, providing encrypted and private DNS traffic.

Enabling DoT can resolve common issues such as:

• Roaming Clients or Relays intermittently going offline
• No websites resolving or loading after installation
• Filtering Policies failing to block or allow websites as expected
• Conflicts with network or ISP security settings (e.g., eero Secure blocking port 53 traffic) that interfere with DNS resolution

In addition to fixing these issues, DoT improves security by sending DNS queries through a secure TLS channel on port 853 instead of the unencrypted port 53. This prevents attackers from intercepting or tampering with DNS requests while maintaining a stable, direct connection between DNSFilter and the device.

If failover or communication issues occur, the Roaming Client automatically falls back to resolving over port 53 (UDP/TCP).

The DNSFilter DNS-over-TLS hostnames are:

• dns1.dnsfilter.com
• dns2.dnsfilter.com

Windows Roaming Client

For Windows Roaming Client version 3.0.0 or higher, configure the upstream order in the appsettings.overrides.json file as shown below to ensure proper DNS resolution:

"LoopbackProxy": {
  "UpstreamProtocolTypeOrder": "DnsOverTls, StandardUdp, StandardTcp"
}

For Windows Roaming Client version 2.2.1 and older, update the upstream order via the registry.

1. Install the Windows Roaming Client
2. Create a registry key value to set tcp-tls as the preferred connection method

   • reg add "HKLM\Software\DNSFilter\Agent" /v UpstreamOrder /d "tcp-tls,udp,tcp" /f

   • reg add "HKLM\Software\DNSAgent\Agent" /v UpstreamOrder /d "tcp-tls,udp,tcp" /f

3. Restart the Roaming Client to apply these settings

macOS Roaming Client

🚨 Warning: Enabling DoT is recommended only on trusted private networks (home, office, school). On public networks like airports, cafés, or airplanes, DoT traffic is often blocked—which can prevent DNS resolution and may break access to captive portals, stopping users from joining Wi-Fi entirely.

For users who frequently travel or connect to public Wi-Fi, we recommend keeping the default UDP setting for reliable connectivity and enabling Travel Wi-Fi mode to prevent interruptions.

1. Open the daemon.conf file
2. Enter this command:

   • sudo nano /Library/Application\ Support/DNSFilter\ Agent/daemon.conf

   • sudo nano /Library/Application\ Support/DNS\ Agent/daemon.conf

3. Set the upstream_order (snippet below) at the top of the config file

   # Desired upstream use order, defaults to "udp", "tcp", "tcp-tls", set only one to disable the others
   upstream_order = [ "tcp-tls", "udp", "tcp" ]
   #

4. Restart the Roaming Client:

   • Stop command:

     sudo launchctl unload /Library/LaunchDaemons/com.dnsfilter.agent.macos.helper.plist

     Start command:

     sudo launchctl load -w /Library/LaunchDaemons/com.dnsfilter.agent.macos.helper.plist

   • Stop command:

     sudo launchctl unload /Library/LaunchDaemons/io.netalerts.agent.macos.helper.plist

     Start command:

     sudo launchctl load -w /Library/LaunchDaemons/io.netalerts.agent.macos.helper.plist

iOS Roaming Client

With iOS agent version 1.0.8 and higher, DoT is enabled by default, no longer requiring the end-user to configure manually.

Manually update all devices

Follow these steps for any older versions or to change this option. This enables/disables DoT on all devices that use the dnsfilter.mobileconfig file.

1. Open the dnsfilter.mobileconfig file

2. Set the dns_over_tls_enabled key in the <dict> section:

   <key>dns_over_tls_enabled</key>
   <true/>

3. Restart the agents to apply these changes

Manually update a single device

To disable DoT on a single device, open the Roaming Client app Settings and select/unselect Enable DNS over TLS. Restart the agent to apply the change.

DNS Relay

Set the upstream_order (snippet below) at the top of the relay.conf file. If making this update after deployment, restart the Relay to apply the change. 

# Desired upstream use order, defaults to "udp", "tcp", "tcp-tls", set only one to disable the others
upstream_order = [ "tcp-tls", "udp", "tcp" ]
#

Single-line settings / parameters (such as upstream_order) must be placed before the [xyz] TOML Tables—it cannot be placed at the bottom of the file or it will automatically become part of the last TOML Table.

Forwarder/Stub support

A typical setup for DNS-over-TLS is to configure a LAN DNS Server to act as a forwarder, wrapping LAN queries into secure packets.

Below are some example software configurations.

Knot Resolver

Specific instructions for Knot Resolver will depend on the local configuration and operating system. See Knot Resolver’s documentation for specific instruction. This blog post might also be helpful.

To implement TLS forwarding, in the policy modules section, we use policy.TLS_FORWARD:

✍️ The target of ca_file= may not be needed or may differ.

modules = { 'policy' }
policy.TLS_FORWARD({
{'103.247.36.36', hostname='dns1.dnsfilter.com', ca_file='/etc/knot-resolver/tlsca.crt'}
{'103.247.37.37', hostname='dns2.dnsfilter.com', ca_file='/etc/knot-resolver/tlsca.crt'} })
#This signifies the end of the { 'policy' } section

Stubby + Unbound

A dual-Docker solution, where Unbound is used as a DNS-caching forwarder, and Stubby is used as a DNS-over-TLS transport server between Unbound and DNSFilter. This combines the caching powers of Unbound with the high-performing DNS-over-TLS implantation that Stubby provides.

Link to the GitHub Project.

Stubby (Standalone)

In the upstream_recursive_servers: section of stubby.yaml:

upstream_recursive_servers:
- address_data: 103.247.36.36
tls_auth_name: "dns1.dnsfilter.com"
- address_data: 103.247.37.37
tls_auth_name: "dns2.dnsfilter.com"

Unbound (Standalone)

The default DNS forwarder in the open-source firewalls IPFire and pfSense.

In the unbound.conf file, ensure the following is set in the server: section. DNSFilter must be the only two forwarder addresses configured.

ssl-upstream: yes
name: "."
forward-addr: 103.247.36.36@853
forward-addr: 103.247.37.37@853