Relay on a Windows DC

Gary Salatino Jr

• September 10, 2025 19:49

I setup a relay on my domain controller. I did the generated install. My DNS forwarders in AD are set to the DNSFilter ones and root hints disabled. But the relay is showing no traffic in the console.

print

• 

  Minetta Gould Community Team DNSFilter Staff

  • September 10, 2025 20:57

  Hi Gary Salatino Jr , Thanks for reaching out! From what you’ve described, it looks like the relay may not actually be in the path of your DNS queries, which is why no traffic is showing in the console. A few things you can check:

  1. Where clients are pointed: Confirm that your client machines are sending DNS to the relay (either directly, or through your domain controller with the relay set as its forwarder). If the DC is set to use DNSFilter resolvers directly, queries will bypass the relay.
  2. Relay visibility: Make sure the relay is assigned to a site or policy in your DNSFilter dashboard. Otherwise, traffic won’t appear in reporting.
  3. Connectivity: Check that nothing on the local server or network firewall is blocking outbound DNS (UDP/TCP 53, 443).

  As a quick test, you can run a lookup (e.g., nslookup google.com <relay_ip>) from a machine in your network. If it resolves successfully, that confirms queries are reaching the relay.

  Could you try those steps and let us know what you see? That will help us narrow down whether the relay is receiving traffic as expected.

  0
• 

  Gary Salatino Jr

  • September 10, 2025 21:08

  What should I set my forwarders to in my DNS server?

  0
• 

  Minetta Gould Community Team DNSFilter Staff

  • September 11, 2025 12:31

  Hi Gary! Can you run the connection test from the installation guide to confirm the setup was successful? It will display an error message if there's an issue that typically helps solve the issue quickly. 

  Let us know the test results and we can go from there! 

  0
• 

  Gary Salatino Jr

  • September 11, 2025 18:51

  nslookup -type=txt debug.dnsfilter.com 127.0.0.1
  Server:  localhost
  Address:  127.0.0.1

  Non-authoritative answer:
  debug.dnsfilter.com     canonical name = cname.vercel-dns.com

  vercel-dns.com
         primary name server = dns1.p07.nsone.net
         responsible mail addr = hostmaster.nsone.net
         serial  = 1657560354
         refresh = 43200 (12 hours)
         retry   = 7200 (2 hours)
         expire  = 1209600 (14 days)
         default TTL = 14400 (4 hours)

  0
• 

  Gary Salatino Jr

  • September 17, 2025 18:43

  I still cannot get this to work.

  0
• 

  Minetta Gould Community Team DNSFilter Staff

  • September 17, 2025 19:21

  Thanks for bearing with me — I need to clarify my earlier response. I originally misunderstood the information from our Engineers, and to be clear, we don’t recommend installing a Relay on a domain controller. 

  Most domain controllers also act as a DNS server for the network. That means they’re already handling name resolution for your devices. Adding a Relay on top of that can create conflicts, since both services are trying to manage DNS traffic at the same time.

  For a smoother setup, we suggest running the Relay on a dedicated machine instead of the DC/DNS server. This avoids DNS overlap and ensures more reliable performance.

  If you still want to test the Relay on that DC, here’s the best next step:

  1. Edit the Relay config to enable debug logging.
  2. Restart the Relay service.
  3. Capture a screenshot of the CMD window output and share it with us via starting a Support Ticket (email support@dnsfilter.com).

  That output will help confirm whether the Relay is running as expected and where the conflict might be.

  0
• 

  Gary Salatino Jr

  • September 17, 2025 19:29

  thanks for the response. Since its not recommended on DCs, ill evaluate other options.

  0
• 

  Minetta Gould Community Team DNSFilter Staff

  • September 17, 2025 23:16

  Not a problem, Gary Salatino Jr ! Here to help if anything else comes up! 

  0

Please sign in to leave a comment.