In this article

This article explains how to restore DNS resolution while remaining protected by DNSFilter using a Windows NRPT (Name Resolution Policy Table) rule.

Zero trust VPNs—such as Ivanti, ZScaler, Cloudflare Zero Trust, and Perimeter 81—can sometimes conflict with the Windows Roaming Client. This conflict occurs when the VPN intercepts or encrypts DNS traffic at the kernel level, preventing the agent from properly resolving DNS queries.

When this occurs:

• The agent icon turns red
• DNS lookups fail 
• Users may only reach internal VPN resources by IP address rather than by domain

Add an NRPT Rule for VPN DNS Servers

This workaround applies when:

• A zero trust VPN is installed on the same endpoint as the DNSFilter Roaming Client
• The VPN operates in Zero Trust mode (some VPNs offer different operation modes)
• DNS resolution fails after the VPN connects, but internal IP-based access still works

Use a PowerShell script to bypass the Windows agent for the impacted domain and resolve it via an internal DNS resolver. The NRPT rule routes VPN DNS queries directly to the VPN’s DNS servers while keeping DNSFilter protection active for all other queries.

1. Open PowerShell as Administrator

2. Run the following script:

   Add-DnsClientNrptRule 
   -Namespace ".your-internal-domain-name" 
   -NameServers "Your-Internal-DNS-Resolver-IP-Address-Here,1.1.1.1"

   Example:

   Add-DnsClientNrptRule 
   -Namespace ".mycompanyresource.com" 
   -NameServers "192.168.1.1,1.1.1.1"

3. Confirm the rule was added: Get-DnsClientNrptRule
4. Restart the Windows agent 

The NRPT rule is now in place. Connect to the VPN again and confirm that DNS lookups for internal resources now resolve correctly while the DNS Agent icon remains active.

Related Content

• Run remote access VPNs alongside the Windows agent
• Configure compatible VPNs with these tips