In this article

If an internet service provider (ISP) uses transparent DNS proxying, DNSFilter may not function correctly. Transparent proxying intercepts DNS requests and redirects them to the ISP’s DNS servers instead of the DNSFilter resolvers.

When this occurs, DNSFilter may fail to activate, policies may not apply, or DNS traffic may not appear in reporting.

In many cases, contacting the ISP’s support team can resolve the issue by disabling the DNS proxy. If the ISP cannot disable the feature, firewall rules may be used to bypass the proxy.

Below are examples of ISP configurations known to intercept DNS traffic.

Comcast / Xfinity

Organizations using Comcast or Xfinity with static IP services may encounter issues due to the SecurityEdge feature.

SecurityEdge blocks or rejects DNS traffic sent to external resolvers, which prevents DNSFilter from receiving queries.

To resolve this issue:

• Contact Comcast/Xfinity support and request that SecurityEdge be disabled
• Configure the modem in pass-through mode

Pass-through mode may require disabling:

• Firewall features
• Local DHCP services
• Built-in Wi-Fi services

After SecurityEdge is disabled, DNS traffic can be sent directly to DNSFilter.

T-Mobile Business Internet

T-Mobile’s Business Internet service includes a transparent DNS proxy that routes DNS traffic through OpenDNS.

To allow DNSFilter to function, contact T-Mobile support and request removal of the Productivity Filter from the account.

Changes typically take up to 24 hours to apply.

Other providers

Some satellite, mobile, and regional ISPs also intercept DNS traffic for caching, filtering, or regulatory purposes.

If DNSFilter deployment fails or DNS traffic does not appear in the dashboard, contact the ISP and confirm whether DNS proxying or DNS interception is enabled on the connection.