If DNS Filtering is not controlling access to domains as intended or blocking Microsoft services, it may be a configuration or caching issue, browser setting conflict, missing system or network requirements, or missing domains from the allow list.
DNS activity and error messages are logged in the following files:
- C:\ProgramData\Malwarebytes Endpoint Agent\Logs\dnscrypt-proxy.log
- C:\ProgramData\Malwarebytes Endpoint Agent\Logs\mbdnsfilter.log
- C:\ProgramData\Malwarebytes Endpoint Agent\Logs\EndpointAgent.txt
Symptoms
Domains not filtered on the endpoint as configured:
- No domains are being filtered.
- Domains aren't filtered as expected after updating a DNS rule.
- Access to a domain is allowed but content is missing or loads slowly.
- Windows or Office365 not functioning properly.
- A domain is blocked unexpectedly or categorized as Unreachable.
Environments
- Malwarebytes Nebula
Causes and resolutions
Cause 1: Endpoints running the endpoint agent do not meet the minimum system requirements for DNS Filtering.
Resolution 1: Update the endpoint to a supported operating system for DNS Filtering. For more information, see Requirements for DNS Filtering in Nebula.
Cause 2: The endpoint is not running the minimum Malwarebytes software component versions for DNS Filtering.
Component |
Version |
Engine |
Minimum 1.2.0.974 |
Endpoint Service |
Minimum 1.2.0.530 |
Protection Service |
Minimum 4.5.8.191 |
Component Package |
Minimum 1.0.1666 |
Resolution 2: Update the Malwarebytes software on the endpoint to the minimum component versions. For more information, see Malwarebytes Nebula endpoint software update May 5, 2022.
Cause 3: The DNS Content Filtering component is missing from the following locations:
- Endpoint Overview and Agent Information in Nebula.
- The Endpoint Agent About window. To access, right-click the system tray icon on the endpoint.
Resolution 3: Check the following:
- The endpoint is communicating with Nebula. For more information, see Network access requirements and firewall settings for Nebula.
- The endpoint is in the correct group.
- The group is assigned the correct policy.
- The DNS rule has the correct policy included.
- The mbdnsfilter and dnscript-proxy services are running and not suppressed by other security products. For more information, see the following:
Cause 4: Windows DNS over HTTPS (DoH) and browser DoH settings bypassing Malwarebytes DNS Filtering.
Resolution 4: Disable Windows and browser DoH settings. For more information, see Requirements for DNS Filtering in Nebula.
Cause 5: The domain may have been allowed or blocked prior to adjusting any DNS rules and the results are cached.
Resolution 5: Flush your Windows and browser cache.
- Windows
- Run cmdprompt as an administrator.
- Type ipconfig /flushdns and press enter.
- Chrome
- Firefox
- Edge
Cause 6: System time on the endpoint is not correct.
Resolution 6: Adjust your system time to accurately reflect the current time.
Cause 7: Content may be hosted under a different domain not included in the Allow List.
Resolution 7: Identify and add missing domains to the Allow List.
- In the left navigation menu, go to Monitor > DNS Filtering.
- Under the Outcome column, filter results by Block.
- Under the Endpoint column, filter results by the endpoint experiencing the issue.
- Identify additional domains that need to be added to the Allow List.
- Update the allow list for each rule as required.
Cause 8: Domain is unexpectedly blocked or categorized as Unreachable.
Resolution 8: Review the block details and perform one of the following tasks:
- Check the DNS activity page and update the affected DNS rule:
- In the left navigation menu, go to Monitor > DNS Filtering.
- Under the Outcome column, filter results by Block.
- Under the Endpoint column, filter results by the endpoint experiencing the block.
- Note each category listed under the category column for the blocked domain.
- If the category displays the Unreachable category, this may be because the DNS lookup resolution of a parent CNAME fails. A missing record will result in the child domain being categorized as Unreachable.
- Check that the domain and its parents have valid CNAME records.
- If the category displays the Unreachable category, this may be because the DNS lookup resolution of a parent CNAME fails. A missing record will result in the child domain being categorized as Unreachable.
- Remove these categories from the affected DNS rule or add the blocked domain to the allow list of the DNS rule.
- Send feedback to Cloudflare.
Cause 9: Microsoft services are included in the blocked categories of the DNS rule.
Resolution 9: Add the following domains to the allow list or global exclusions.
Domain | Categories | Description |
www.msftconnectiontest.com ip6.msftconnectiontest.com |
Technology > Content Servers | Allows Windows to report in the System Tray that there is an internet connection. |
windowsupdate.com |
Business & Economy > Business Technology > Information Technology |
Allows Windows to update. |
client.wns.windows.com cns.msftcsi.com time.windows.com portal.office.com siscr.update.com edgedl.me.gvt1.com www.microsoft.com outlook.office365.com officeclient.microsoft.com rms.na.aadrm.com |
Ads > Advertisements Business > Business Internet Communication > Webmail Technology > APIs Technology > Content Servers Technology > Information Technology Technology > Technology |
Services used for Office365 registration, license, validation, profile lookup, etc. |
Return to Malwarebytes Nebula DNS Filtering guide.