In this article

Learn how DNS PreCheck filters DNS locally on Windows devices to improve reliability, security, and connectivity.

DNS PreCheck is a filtering mode in the Windows Roaming Client v3.0.0 and higher. It validates and filters DNS queries locally on the device and requires the Transparent Proxy connection mode to function.

By filtering locally, DNS PreCheck helps maintain protection wherever the device connects—without requiring DNS changes or complex setup.

What is the difference between Classic and PreCheck?

Classic DNS filtering changes device DNS settings so all DNS requests resolve through DNSFilter’s Dual Anycast Network.

This approach delivers strong privacy and enforcement control but can:

• Require configuration or exceptions on internal or restricted networks
• Create conflicts with corporate or third-party tools that manage DNS
• Impact connectivity on networks where DNS behavior can’t be modified

DNS PreCheck modernizes DNS filtering by utilizing DNS locally on the device before queries leave the network stack.

It simplifies management and keeps filtering consistent anywhere by:

• Intercepting DNS traffic through a transparent proxy without changing DNS settings
• Working automatically on networks where DNS control or exceptions aren’t possible
• Maintaining reliable, continuous protection with minimal configuration

Key benefits to DNS PreCheck

• Intercepts DNS traffic automatically at the device level, with full IPv4 and IPv6 support
• Adapts to different network configurations without requiring setup or exceptions
• Keeps DNS filtering active even on networks that restrict or override DNS settings
• Prioritizes connectivity if filtering becomes temporarily unreachable (fail-open behavior)
• Reduces compatibility issues with VPNs, local domains, and other DNS-aware applications

Customers updating to v3.x.x who switch to DNS PreCheck do not need to remove existing agent-applied DNS settings. The agent automatically cleans up loopback entries during the upgrade.

When to use DNS PreCheck

• Deploying protection to devices that connect from different or unmanaged networks
• Simplifying setup where DNS control or exceptions aren’t possible
• Replacing older DNS redirection methods that cause conflicts or drop traffic
• Maintaining secure filtering while prioritizing connectivity across changing networks

⚠️ Compatibility note

DNS PreCheck works with most VPN and endpoint security tools.

Some agents that also intercept or encrypt DNS traffic, especially zero-trust or WFP-based applications—such as Zscaler Private Access or FortiClient Zero Trust Agent—may conflict, since both handle DNS at the same network layer.

See the Compatibility Support article for full detail.

Filtering and Connection Modes

DNS PreCheck introduces a configurable framework with three dimensions:

Connection mode

Defines how DNS queries are intercepted.

• Transparent proxy. Intercepts queries locally without changing DNS settings
• DNS loopback. Uses traditional DNS redirection for legacy compatibility, modifying network settings on a device

Filtering mode

Defines how queries are evaluated.

• Classic DNS Filtering. Queries route to DNSFilter DNS resolvers
• DNS PreCheck. Queries validated by DNSFilter but resolve to local DNS resolvers

Failover mode

Defines what happens if filtering cannot be reached.

• Fail-open mode. Maintains connectivity and bypasses filtering
• Fail-closed mode. Blocks queries until filtering is available

Review the DNS PreCheck known limitations before configuring these settings from the Roaming Client Control Center.