In this article
Follow this article to troubleshoot issues with DNSFilter Network Sites not activating or not receiving traffic (showing offline).
Background
If a Site is not activating or stops receiving DNS traffic, the circle next to the Site name in the dashboard will be grey (not activated) or red (hasn't received traffic for at least 15 minutes).
In the image below, the Sites Guest WiFi and Relay HQ are offline, and the Site Network Deployment is not activated.
A likely cause for this issue is transparent proxying from an Internet Service Provider (ISP). A transparent DNS proxy is the practice of intercepting DNS requests destined for a specific recursive DNS server (like DNSFilter) and sending the DNS requests to an entirely different DNS server.
Determine if proxying is taking place
There are different methods available to discover a proxy. Use either method below to determine where DNS traffic is being sent.
From the browser
Visit DNS Leak Test or Whoismydns in a web browser. There are three common responses from these sites:
- The domain names are related to DNSFilter. Great start! We can rule out transparent proxying and move on to other connectivity troubleshooting
⚡️ Pro Tip: If you're just getting started, it never hurts to go back and check your work to make sure the Filtering Policies and Sites are setup correctly: a common error is forgetting to point DNS traffic to our anycast IP addresses during setup.
- The domain names correspond with your ISP. Your DNS traffic is being proxied by the ISP. Jump to the firewall setting updates below to bypass the ISP proxy
- The results are associated with some other address. If the IP address seems random or set to a destination like Google's DNS server (8.8.8.8 / 8.8.4.4) it's likely some legacy firewall/security rule on the network. Locate the security rule and update the settings to allow DNS traffic to reach DNSFilter
From MyIP
The domain myip.dnsfilter.com
is known only to DNSFilter’s servers. If a non-DNSFilter service performs this DNS request, it will result in an NXDOMAIN (non-existent domain). This can be used to determine if DNS requests are coming to DNSFilter or going somewhere else.
In Command Prompt (Windows) or Terminal (MacOS/Linux), run the following command:
nslookup myip.dnsfilter.com. 103.247.36.36
View the results under Non-authoritative answer:
- The DNS request made it to DNSFilter. Name: myip.dnsfilter.com Address: includes IP address
- The DNS request did not make it to DNSFilter. *** Can't find myip.dnsfilter.com: no answer
Adjust firewall rules to bypass proxying
The best way to prevent ISP proxying is to use local firewall rules to update the port DNS traffic listens on to port 5353 or 5354 (UDP only).
We outline methods to change port settings using iptables in our Community, which can be adjusted to most firewall settings. Consult your firewall manufacturer's documentation for the most accurate process.
Comments
0 comments
Please sign in to leave a comment.