Skip to main content

Troubleshoot DNS Filtering in Nebula

If DNS Filtering is not controlling access to domains as intended or blocking Microsoft services, it may be a configuration or caching issue, browser setting conflict, missing system or network requirements, or missing domains from the allow list. 

DNS activity and error messages are logged in the following files: 

  • C:\ProgramData\Malwarebytes Endpoint Agent\Logs\dnscrypt-proxy.log
  • C:\ProgramData\Malwarebytes Endpoint Agent\Logs\mbdnsfilter.log
  • C:\ProgramData\Malwarebytes Endpoint Agent\Logs\EndpointAgent.txt

Symptoms

Domains not filtered on the endpoint as configured:

  • No domains are being filtered.
  • Domains aren't filtered as expected after updating a DNS rule.
  • Access to a domain is allowed but content is missing or loads slowly.
  • Windows or Office365 not functioning properly.

Environments

  • Malwarebytes Nebula

Causes and resolutions

Cause 1: Endpoints running the endpoint agent do not meet the minimum system requirements for DNS Filtering.

Resolution 1: Update the endpoint to a supported operating system for DNS Filtering. For more information, see Requirements for DNS Filtering in Nebula.

 

Cause 2: The endpoint is not running the minimum Malwarebytes software component versions for DNS Filtering.

Component

Version

Engine

Minimum 1.2.0.974

Endpoint Service

Minimum 1.2.0.530

Protection Service

Minimum 4.5.8.191

Component Package

Minimum 1.0.1666

Resolution 2: Update the Malwarebytes software on the endpoint to the minimum component versions. For more information, see Malwarebytes Nebula endpoint software update May 5, 2022.

 

Cause 3: The DNS Content Filtering component is missing from the following locations:

  • Endpoint Overview and Agent Information in Nebula.
  • The Endpoint Agent About window. To access, right-click the system tray icon on the endpoint.

Resolution 3: Check the following:

 

Cause 4: Windows DNS over HTTPS (DoH) and browser DoH settings bypassing Malwarebytes DNS Filtering. 

Resolution 4: Disable Windows and browser DoH settings. For more information, see Requirements for DNS Filtering in Nebula.

 

Cause 5: The domain may have been allowed or blocked prior to adjusting any DNS rules and the results are cached.  

Resolution 5: Flush your Windows and browser cache.

  • Windows
    1. Run cmdprompt as an administrator.
    2. Type ipconfig /flushdns and press enter.
  • Chrome
  • Firefox
  • Edge

 

Cause 6: System time on the endpoint is not correct.

Resolution 6: Adjust your system time to accurately reflect the current time.

 

Cause 7: Content may be hosted under a different domain not included in the Allow List.

Resolution 7: Identify and add missing domains to the Allow List.

  1. In the left navigation menu, select DNS Filtering.
  2. Under the Outcome column, filter results by Block.
  3. Under the Endpoint column, filter results by the endpoint experiencing the issue.
  4. Identify additional domains that need to be added to the Allow List.
  5. Update the allow list for each rule as required.

 

Cause 8: Microsoft services are included in the blocked categories of the DNS rule.

Resolution 8: Add the following domains to the allow list or global exclusions.

Domain Categories Description

www.msftconnectiontest.com

ip6.msftconnectiontest.com

 Technology > Content Servers Allows Windows to report in the System Tray that there is an internet connection.
windowsupdate.com Business > Business Technology > Information Technology Allows Windows to update.

client.wns.windows.com

cns.msftcsi.com

time.windows.com

portal.office.com

siscr.update.com

edgedl.me.gvt1.com

www.microsoft.com

outlook.office365.com

officeclient.microsoft.com

Business > Business

Internet Communication > Webmail

Technology > Content Servers

Technology > Information Technology

Technology > Technology

 

 Services used for Office365 registration, license, validation, profile lookup, etc.

 

Return to Malwarebytes Nebula DNS Filtering guide.

Related articles