In this article

When Enclave and the DNSFilter Windows Roaming Client are installed on the same device, the two products can conflict at the DNS layer. 

The Roaming Client intercepts DNS traffic locally to enforce filtering policy, which can prevent Enclave-managed hostnames—such as names in the .enclave zone or any custom zones—from resolving correctly.

DNSFilter is not an expert in Enclave configuration. Consult Enclave's documentation for platform-specific guidance.

Resolve the conflict using an NRPT rule

The recommended solution is to create a Windows Name Resolution Policy Table (NRPT) rule that routes queries for Enclave-managed zones directly to the Enclave Virtual Adapter, bypassing the Roaming Client for those names only. All other DNS traffic continues to flow through DNSFilter as normal.

Add an NRPT rule for each Enclave-managed zone, replacing .enclave with the applicable zone suffix and the IP address with the Enclave Virtual Adapter address:

Add-DnsClientNrptRule -Namespace ".enclave" -NameServers "<Enclave Virtual Adapter IP>"

To verify the rule is applied:

Get-DnsClientNrptRule

Related content

• Resolve VPN and Windows Roaming Client conflicts
• Zero Trust VPN compatibility 
• Configure local domains and resolvers