Skip to main content

How can we help you?

Search

help Knowledge Base
forum Community
checklist Release Notes
event Events

VPN, EDR, and firewall compatibility issues with macOS Roaming Client v2.2.0+

Minetta Gould
  • Updated

    In this article

The macOS Roaming Client (v2.2.0 and higher) uses Apple’s System Extensions framework for secure, system-wide DNS interception. While this improves stability and security, it also means that VPN clients, endpoint detection and response (EDR) tools, and firewalls can conflict with DNSFilter when they install their own DNS proxy or enforce DNS rules.

Causes

  • Single DNS Proxy Limit
    macOS allows only one DNS proxy to intercept DNS traffic system-wide. If another application binds to ports 53 or 5454, the Roaming Client cannot function
  • Separate Routing Contexts
    VPNs using user-space networking may operate outside the protected routing tables used by Network Extensions, creating routing mismatches that break DNS interception
  • VPN-Enforced DNS Tunneling
    VPNs often route all DNS traffic through their tunnel, bypassing DNSFilter unless configured for split DNS/tunneling
  • Security Tool DNS Enforcement
    EDR and firewall products may implement their own DNS rules, use competing Network Extensions, or bind to DNS ports before DNSFilter, preventing proper DNS interception

Solutions

  1. Disable Competing DNS Features
    • Turn off “Use custom DNS” or similar settings in VPN clients
    • Disable DNS enforcement or DNS proxy features in EDR/firewall products
  2. Use Split DNS/Tunneling
    • Send only specific domains (such as internal domains) through the VPN
    • Route all other DNS queries through DNSFilter
  3. Confirm No Port Conflicts

    • Verify only DNSFilter is bound to ports 53 and 5454:

      lsof -i :53
lsof -i :5454
    • Remove or reconfigure any service occupying these ports
  4. Check Active System Extensions
    • Ensure only DNSFilter is active for DNS interception
  5. Restart in the Correct Order
    • Disconnect VPN → Restart DNSFilter → Reconnect VPN
    • This allows DNSFilter to bind to required ports first
  6. Restart the Device
    • Apply all configuration changes and clear residual conflicts

If Issues Persist

Collect the following and open a request for our Support team to review:

  • Security product name and version
  • Summary of configuration changes made
  • macOS agent diagnostic logs
Was this article helpful?
0 out of 0 found this helpful
Return to top

Comments

0 comments

Please sign in to leave a comment.