In this article

Follow this article to troubleshoot issues with DNSFilter Network Sites not activating or not receiving traffic (showing offline) when configured for DNS Forwarding.

For Sites only utilized for Roaming Clients or Relays that show not active/offline, confirm those deployments are online and filtering traffic. If blocked, a common issue is completing for port access with other security tools on the network.  

Background

If a Site is not activating or stops receiving DNS traffic, the Status in the dashboard will be Unprotected (not activated) or Offline (hasn't received traffic for at least 15 minutes). 

In the image below, the Site Sweet William Coffee is offline, and the Site Sunflower House is not activated. 

Possible causes

There are two likely causes for Sites showing as Unprotected or Offline:

• DNS Forwarding is not configured on the network. Make sure the DNSFilter Anycast IP addresses are added to the correct network setting
• DNS traffic is being transparent proxied. Internet Service Providers (ISPs) or legacy firewall/security rules on the network can intercept DNS traffic, sending the DNS requests to an entirely different DNS server

The remainder of this article addresses troubleshooting possible transparent proxying on the network.

Determine if proxying is taking place

There are different methods available to discover a proxy. Use either method below to determine where DNS traffic is being sent. 

Method one: From the browser

Visit DNS Leak Test or Whoismydns in a web browser. 

There are three common responses from these sites:

• The domain hostnames include "dnsfilter". Great start! We can rule out transparent proxying and move on to other connectivity troubleshooting
• The domain names correspond with your local ISP. DNS traffic is being proxied by the ISP. Jump to the firewall setting updates below to bypass the ISP proxy
• The results are associated with some other address. If the IP address seems random or set to a destination like Google's DNS server (8.8.8.8 / 8.8.4.4) it's likely some legacy firewall/security rule on the network. Locate the security rule and update the settings to allow DNS traffic to reach DNSFilter

Method two: Prompt / Terminal Command

The domain myip.dnsfilter.com is known only to DNSFilter’s servers. If a non-DNSFilter service performs this DNS request, it will result in an NXDOMAIN (non-existent domain). This can be used to determine if DNS requests are coming to DNSFilter or going somewhere else.

In Command Prompt (Windows) or Terminal (macOS/Linux), run the following command:

nslookup myip.dnsfilter.com. 103.247.36.36

View the results under Non-authoritative answer:

• The DNS request made it to DNSFilter. Name: myip.dnsfilter.com Address: includes IP address
• The DNS request did not make it to DNSFilter. *** Can't find myip.dnsfilter.com: no answer

Adjust firewall rules to prevent proxying

The best way to prevent ISP proxying is to use local firewall rules to update the port DNS traffic listens on to port 5353 or 5354 (UDP only).

We outline methods to change port settings using iptables in our Community, which can be adjusted to most firewall settings. Consult your firewall manufacturer's documentation for the most accurate process.