In this article

This article applies only to macOS Roaming Client version 2.2.0 and higher. Earlier agent versions are not affected by this issue.

What we know

An endpoint detection and response (EDR), VPNs, or firewall tools can interfere with the DNSFilter macOS agent v2.2.0+ when deployed via MDM, which employs two mobileconfig files and is a DNS Proxy. 

Common issues include:

• DNSFilter agent failing to filter traffic, but earlier version of the client worked as expected

• Repeated connection prompts

• Conflicts over port usage

This conflict can occur because the Roaming Client requires:

• A DNS Proxy profile

• Exclusive access to port 53 and port 5454

macOS allows only one DNS Proxy to intercept DNS traffic system-wide. Conflicts occur if another tool (such as an EDR) also enforces DNS rules or attempts to bind to the same ports.

How to work around the issue

1. Check the other tool’s DNS enforcement settings

   • Identify whether the product enforces DNS or includes its own DNS proxy

   • Disable any DNS enforcement features, if possible

2. Whitelist the DNSFilter agent

   • Allow loopback traffic to 127.0.0.1 within the EDR/firewall configuration

   • If the tool offers DNS rule exceptions, add one for DNSFilter’s agent

3. Set the domains that should send through the VPN as local domains in the DNSFilter dashboard

   • Set up resolvers for the DNS servers that the VPN uses for the dashboard resolvers

4. Confirm no port conflicts

   • Verify that only the DNSFilter agent is binding to ports 53 and 5454

   • Use the lsof -i :53 and lsof -i :5454 commands in Terminal to check active bindings

5. Restart the macOS device

   • Ensure all configuration changes are applied cleanly

Still Experiencing Issues?

Gather the following information for further investigation:

• Name and version of the security product

• A summary of configuration steps taken

• Diagnostic logs from the macOS agent

Submit the details to our Support team for review.