Roaming Client Failover
now
Chris Wilson
When the roaming agent fails to resolve DNS queries due to enterprise network conditions such as DNS Doctoring please provide an automatic remediation method after a specified time period to temporarily disable the DNSFilter Agent. Controlling this feature through the deployment command line would be sufficient.
Why: We have roaming clients that are unable to resolve DNS requests on specific enterprise networks and it's painful as the current fix is telling them to pack up their bag and leave or 4G hotspot since they don't have Administrative rights. We're working on a scheduled task script to monitor connectivity and the script will disable the Windows service, set DNS to DHCP, and flush the DNS. We have found these three steps to resolve the issue when it happens.
Command-line options:
AUTOREMEDIATION="enabled" allows the roaming agent to self heal connectivity issues caused by enterprise configurations such as DNS Doctoring. Automatic Remediation will temporarily disable the Windows service and static DNS configuration when a DNS request cannot be made to DNSFilter servers. When Automatic Remediation is running a connectivity check will be issued every 300 seconds on the client and if successful will re-enable the DNSFiltering Agent protection.
NETWORKTIMEOUT="300" allow you to specifiy a custom network timeout before DNSFilter will attempt automatic remediation. Default is 300 seconds.
M
Matt Riechman-Bennett
I see this listed as a known PreCheck limitation:
https://help.dnsfilter.com/hc/en-us/articles/48237150896787-DNS-PreCheck-Known-Limitations#h_01KF11R90DK5KBNHZTZ8PTA9H2
Is there an ETA for the Fail-open option to be available in the custom filtering mode using Classic filtering?
Minetta Gould
Matt Riechman-Bennett, Thanks for your patience! No ETA on fail-open for Classic DNS Filtering: we still plan to do it, however do not have a timeline for release.
R
Ryan Poppa
marked this post as
now
Kate Trojanowski
marked this post as
next
Moving this to Planned/Next
There is a mix of requests here: 1. Ability to enable/disable and 2. Fail open and perhaps 3. Permission a user to locally enable/disable
For 1. RC Management Dashboard controls, including remotely enable/disable, are planned to enter development next for both Windows and macOS
For 2. Fail open will be included in the DNS Pre-Check for Windows. Follow along here: https://dnsfilter.canny.io/feature-requests/p/dns-pre-check-for-windows-agent
For 3. In the case of a Fail close scenario, the RC Dashboard enable/disable function would never reach the device, so we should add a control to let you decided to allow the user this function (typically via tray)
Jonathan Bullock
Under a Site > Deployments > Local Domains you can add Local Domain Suffixes and Local Resolvers per site.
Alyssa Leinweber
This is critical. We are struggling with issues with DNSFilter and we dont have an easy way to disable it without either a full uninstall or manually changing the daemon.conf file. There should be a bypass option within the console for Macs & Window machines that allows us to get our users back online while we troubleshoot
Chris
Original poster. Did you figure out a work around via the task scheduler that you would be willing to share?
Kahle
We would love to see some sort of failover option. The most recent issue with DNS resolution in Denver caused multiple clients to lose internet completely and we couldn't run any remote scripts to disable or bypass until the issue was resolved. The only resolution was to go through clients one by one and manually disable the service until the issue was resolved. Quick support helped get this fixed but as others have said, "failing back to a slightly-less-secure-but-still-working internet is far more important than locking down all network traffic no matter what."
Adam Rice
Absolutely need this option. As an MSP, for my clients, failing back to a slightly-less-secure-but-still-working internet is
far
more important than locking down all network traffic no matter what.Matt Ellsworth
I'm on board for our users. If DNSFilter servers are being blocked, some failover (and an alert HINT HINT) would be good with us. Then we can remote into the machines and troubleshoot. It's hard to remotely connect to a machine that doesn't have DNS service.
Mikey @DNSFilter
Merged in a post:
Backup DNS
J
Jeff Hampson
When I install the DNSfilter app, it controls my computers DNS. Which is fine. I would like for there to be a way for me to set a backup DNS on your app. Perhaps its not DNSfilter but some other public DNS.
Load More
→