In this article

Use this article to understand VPN compatibility considerations when the Windows Roaming Client is configured in DNS PreCheck mode. See our Connection and Filtering Mode guide for more detail.

DNS PreCheck relies on local DNS interception that can conflict with VPNs built on the Windows Filtering Platform (WFP) or operating at the kernel level.

This includes:

• SSL VPNs
• Zero Trust VPNs

These VPN types cannot be used with DNS PreCheck enabled. To run both security tools together, affected environments must use Classic DNS Filtering and apply appropriate VPN configuration patterns, such as split tunneling or port and protocol prioritization.

Troubleshooting VPN compatibility

DNSFilter aims to support reliable deployments alongside common VPNs and third-party software. While we work to ensure broad compatibility, DNSFilter cannot guarantee functionality with every external tool or configuration. This article provides general guidance only and does not constitute official validation of third-party software.

If you experience VPN or software conflicts not covered here, submit a Support Request for assistance. For the fastest resolution, include the following details:

• The name and version of the VPN or software suspected to conflict with the Windows Roaming Client
• A screenshot of the Roaming Client tray icon, showing the current Connection and Filtering mode
• Diagnostic logs from an impacted device when the VPN is enabled
• A summary of troubleshooting steps already taken

In some cases, vendor-specific settings may impact compatibility. We recommend working with both DNSFilter Support and the third-party vendor to identify and resolve configuration issues.

Azure VPN

No known conflicts or configuration modifications for DNS PreCheck compatibility.

Cato Networks

No known conflicts or configuration modifications for DNS PreCheck compatibility.

Cisco AnyConnect

DNS PreCheck mode is not compatible with Cisco AnyConnect. 

During testing, AnyConnect’s DNS handling prevented DNSFilter from reliably receiving queries, resulting in inconsistent or missing filtering. Because the Roaming Client cannot maintain authoritative DNS resolution in this configuration, DNS PreCheck cannot be used alongside AnyConnect.

Configure VPN compatibility by using Classic DNS Filtering with full-tunnel routing.

Cloudflare WARP

No known conflicts or configuration modifications for DNS PreCheck compatibility.

F5 BIG-IP VPN

High CPU usage has been observed when BIG-IP runs with PreCheck—likely due to overlapping zero-trust features controlling DNS or traffic routing.

FortiClient VPN / Zero Trust Agent

FortiClient's Zero Trust Agent is known to cause DNS resolution errors or failed lookups when used with DNS PreCheck mode. Review DNS settings in FortiClient and update to the latest version.

Compatibility is more consistent in Classic DNS Filtering mode.

Guardian VPN

DNS PreCheck is not compatible with Guardian VPN. Use Classic DNS Filtering mode for compatibility.

Ivanti Secure Access Client

Intermittent connection drops or DNS lookup failures have been reported when used together with DNS PreCheck. Review Ivanti’s DNS capture and tunnel policies.

Microsoft DirectAccess

PreCheck may interfere with this VPN connection if the agent is already active. Adjust startup order or DNS handling in the VPN client.

NetBird

DNS resolution loss has been reported when Netbird runs with DNS PreCheck. Review Netbird’s DNS routing and configuration.

NordLayer VPN

When active, it may cause DNS PreCheck to disconnect because both agents handle DNS at the system layer. Review NordLayer’s DNS interception settings.

OpenVPN

No known conflicts or configuration modifications for DNS PreCheck compatibility.

Palo Alto GlobalProtect

No known conflicts or configuration modifications for DNS PreCheck compatibility.

Perimeter 81 (Harmony SASE)

Conflicts occur even when Perimeter 81 is not actively logged in. Update to latest version; older versions (10.1.1.1438 and earlier) are known to cause DNS issues.

Twingate

When Twingate is active with DNS PreCheck, DNS resolution may be lost. Check Twingate’s DNS handling and ensure it does not override the agent’s processing.

WatchGuard Mobile VPN (SSL)

Internet access may stop once the VPN connects alongside DNS PreCheck. Review WatchGuard’s DNS proxy or tunnel settings.

WireGuard VPN

When using WireGuard, all public internet traffic is routed through the VPN tunnel by default. This behavior can interfere with DNSFilter’s local Block Page, which is hosted on the endpoint and does not respond through the WireGuard tunnel.

To ensure Block Pages load correctly, exclude DNSFilter’s Block Page IP from your WireGuard configuration.

How to configure the exclusion:

1. WireGuard does not support explicit “excluded IPs”
2. Use a tool such as the WireGuard AllowedIPs Calculator to calculate exclusions
3. Enter the DNSFilter Block Page IP as a disallowed IP: 18.205.54.142/32
4. Add your existing allowed IP ranges and generate the result
5. Apply the generated IP ranges to the AllowedIPs section of your WireGuard configuration

This prevents WireGuard from routing Block Page traffic through the VPN tunnel while preserving normal VPN behavior.

Zscaler Private Access (ZPA)

If ZPA enforces its own secure DNS inspection, DNS PreCheck may not receive DNS queries for filtering. Adjust ZPA settings so DNS queries flow through DNS PreCheck.