In this article

Use this article to restore DNS resolution while remaining protected by DNSFilter by creating a Windows NRPT (Name Resolution Policy Table) rule.

This workaround only applies to Windows agents using Classic DNS Filtering mode. Classic DNS Filtering relies on Loopback Proxy DNS (127.0.0.2), which can conflict with VPN clients that intercept or manage DNS traffic outside of the Windows resolver path.

Zero trust VPNs may conflict with the Windows Roaming Client when the VPN intercepts or encrypts DNS traffic at the kernel level. This can prevent the agent from resolving DNS queries correctly.

When this occurs:

• The agent icon turns red
• DNS lookups fail
• Internal VPN resources only resolve by IP address instead of domain

Add an NRPT rule for VPN DNS servers

This workaround applies when:

• A zero trust VPN is installed on the same device as the Windows Roaming Client
• The VPN operates in zero trust mode (some VPNs offer multiple modes)
• DNS resolution fails after VPN connection, but internal IP-based access still works

Use an NRPT rule to bypass the Roaming Client for the impacted namespace and route DNS requests directly to the VPN’s DNS servers. This keeps DNSFilter protection active for all other queries.

1. Open PowerShell as Administrator

2. Run the following command and replace the placeholder values

   Add-DnsClientNrptRule `
     -Namespace ".your-internal-domain-name" `
     -NameServers "Your-Internal-DNS-Resolver-IP-Address-Here,1.1.1.1"

   Example:

   Add-DnsClientNrptRule `
     -Namespace ".mycompanyresource.com" `
     -NameServers "192.168.1.1,1.1.1.1"

3. Confirm the rule was added

   Get-DnsClientNrptRule

4. Restart the Windows agent service
5. Connect to the VPN again and confirm internal DNS lookups resolve successfully while the agent remains active

Related content

• Run remote access VPNs alongside the Windows agent
• Configure compatible VPNs with these tips:
  • Classic DNS Filtering mode 
  • DNS PreCheck mode