Skip to main content

How can we help you?

Search

help Knowledge Base
forum Community
checklist Release Notes
event Events

Direct internal resource traffic to local servers when using Roaming Clients

Minetta Gould
  • Updated

    In this article

Network admins follow this article to configure local domains and resolvers, ensuring seamless access to internal resources while maintaining DNS security through DNSFilter.

Review our local domain and resolver guide for more detail on how this solution can work in your network environment. 

Local domains can be set up to function alongside Roaming Clients via:

  • DNSFilter dashboard
  • DHCP DNS Search Suffix
  • Windows Install flag, e.g. LOCALDOMAINS= during Roaming Client installation
  • Windows registry settings

How Roaming Clients handle DNS traffic

DNSFilter’s Roaming Clients intercept and manage DNS traffic at the device level. For example, on Windows, DNS is set to 127.0.0.2, a loopback IP where DNSFilter processes requests.

Before intercepting traffic, the Roaming Client:

  • Saves the existing DNS server settings
  • Redirects traffic to DNSFilter for policy enforcement
  • Uses the original DNS settings for specified local domains 
  • Restores the original configuration when the agent is disabled or the device reboots

Best Practices

  • Specify only necessary local domains to limit security risks. Remember that DNSFilter automatically forwards all .local domain requests to the network's originally configured DNS servers, regardless of other network settings
  • Ensure your firewall allows EDNS to prevent local DNS resolution failures. Check Windows/macOS settings to confirm local DNS queries route correctly

DNS Resolution Priority

More specific local domain configurations take priority. If a local domain is set using DHCP, registry, or installation flags, it will override an identical domain configured in the DNSFilter dashboard. For example, if DHCP provides acme.com and the same domain is set in the DNSFilter dashboard, the device will use the original DNS server from the network interface.

Less specific local domains in the DNSFilter dashboard take priority over broader configurations. If DHCP provides a more specific domain (e.g., corp.acme.com) and a broader domain (acme.com) is set in the DNSFilter dashboard, the dashboard's resolvers will take precedence over the original DNS server on the network interface.

Example

A device gets 192.168.0.1 as its DNS via DHCP, and the following configuration is set in the dashboard:

  • Local Domains: dundermifflin.com
  • Local Resolvers: 192.168.100.1

When resolving www.dundermifflin.com, the Roaming Client:

  • Queries 192.168.100.1
  • If unreachable, queries 192.168.0.1 (DHCP-assigned DNS)
  • If still unresolved, forwards the request to DNSFilter

🚨 Multi-Site Considerations All Roaming Clients will use the local resolvers specified in the dashboard, which could result in DNS queries traversing site-to-site VPN or MPLS links before reaching the resolver.

Compatible Roaming Clients

Adding local domains and resolvers in the dashboard ensures proper routing for devices using:

  • Windows
  • macOS
  • iOS
  • Android

Why not the Chrome Extension?

The use of local domains and resolvers isn't necessary for the Chrome Extension Roaming Client because the core functionality is different. When a website is accessed on a Chromebook with the Roaming Client, it first checks with DNSFilter to determine if the site is allowed. If the site is approved, DNSFilter does not provide the website’s address.

Instead, the Chromebook queries the DNS server configured on the device, such as the one assigned by the network via DHCP. As long as the site is allowed, the device relies on its configured DNS server to resolve the request.

Configure local domains and resolvers

DNSFilter Dashboard

Use the Local Domains feature to direct internal traffic to local resolvers such as LAN DNS, Active Directory DNS, or private name servers.

This setup is useful when:

  • DHCP’s DNS Search Suffix isn’t configured properly
  • Roaming Client installation lacks local domain setup, e.g. macOS devices
  • Registry management of local domains is too complex
  • LAN environments aren’t suited for DNSFilter Relay
  • Network local domains change frequently and need easy updates
  • Split-tunnel VPN setups require specific local domain resolution

🚨 IMPORTANT: Local resolvers must be added to the dashboard—they do not default to the originally configured DNS like .local addresses. Adding any valid network resolver ID will suffice.

Follow these steps to add local domains and resolvers to the dashboard. 

  1. From the DNSFilter dashboard, navigate to Deployments and select Roaming Clients
  2. Tab to Local Domains
  3. Select the Network Site associated with the Roaming Clients that should reroute the local traffic
  4. Enter local domains and resolvers. Traffic sent to local resolvers will attempt the IPs descending from top to bottom on the list—not descending order numerically
  5. Select Save 

DHCP DNS Search Suffix (Windows)

Configuring a search suffix in DHCP—e.g. internal.bigco.comallows devices to automatically append domain suffixes to unqualified queries (e.g., internal). 

Installation flag (Windows)

The Windows Roaming Client can pass local domains during installation using the flag variable  LOCALDOMAINS=. The flag creates the DNSDomainSuffixList in the registry. 

The downside to this implementation is that these local domains remain even when roaming off the corporate network. Queries won’t be sent to DNSFilter for lookup, but will be sent to the local DNS for that network.

Registry (Windows)

Admins can modify local domains post-installation by editing the Windows registry. Separate entries with a comma.

  • HKLM\Software\DNSFilterAgent\Agent in the DNSDomainSuffixList key
  • HKLM\Software\DNS Agent\Agent in the DNSDomainSuffixList key
Was this article helpful?
0 out of 0 found this helpful
Return to top

Comments

0 comments

Please sign in to leave a comment.