In this article
Network administrators use this article to understand how internal domains and DNS resolvers are handled by DNSFilter services, including Roaming Clients and Relay deployments.
Why local domains and resolvers matter
Many networks use internal DNS zones for resources such as file shares, domain controllers, authentication services, printers, and custom applications. These internal names may use fully qualified domain names (FQDNs), short hostnames, or .local suffixes.
Correct operation requires these internal names to be resolved by the internal network’s DNS servers. If they are not routed properly:
- Intranet pages fail to load
- Shared drives or printers do not respond
- Authentication to Active Directory fails
- Applications that rely on internal DNS return errors
DNSFilter must correctly distinguish internal DNS queries from external DNS queries to preserve normal network behavior.
Short Hostnames in Local Domains
As of 30 September 2025 Local Domains configured for Roaming Clients can be both short hostnames (e.g., printer-1, serverA) and fully qualified domain names (FQDNs) (e.g., printer-1.office.local).
- Short hostnames may only work inside the local network and can conflict across different networks
- For reliability, use FQDNs whenever possible. Reserve short hostnames for cases like printers or IoT devices, and test locally to confirm resolution
How DNSFilter handles local domains across platforms
With the introduction of Connection and Filtering modes , the handling of internal DNS depends on the interception method used by the deployment and whether the request is routed according to the operating system or according to dashboard configuration.
Supported Windows agents (v3.0+) route local traffic in different ways depending on the configuration:
- Transparent proxy (DNS PreCheck) relies on the device’s resolvers, so no dashboard configuration necessary
- DNS loopback (Classic DNS Filtering) uses dashboard-configured local domains and local resolvers to determine which queries should be sent to internal DNS servers
The macOS, iOS, and Android agents as well as the DNS Relay require dashboard configured local domains and resolvers to handle local services.
Chromebook Roaming Client local domains are managed in the Google Admin dashboard.
Automatic handling of .local domains
If the organization uses .local domains for internal resources, no additional configuration is needed. DNSFilter automatically forwards all .local domain requests to the network's originally configured DNS servers, regardless of other network settings.
Additionally, RFC 1918 private address reverse lookups (PTR queries for in-addr.arpa) are also sent to local DNS servers.
Related Support Content
- Resolve VPN and Windows agent conflicts
- Fix blocked traffic that doesn’t show up in the DNS Query Log (unknown page)
- Configure firewall EDNS rules to allow local resolution
Comments
0 comments
Please sign in to leave a comment.