In this article:

    DNSFilter is an enterprise level cybersecurity tool focused on DNS based threat protection and content filtering.

    Depending on your DNSFilter deployment methods, our products can work together seamlessly with only minimal extra configuration.


    If you use a DNSFilter Network Deployment or the DNSFilter Relay

    Both network level filtering and the DNSFilter Relay rely on either the public IPs of DNSFilter's servers, or the private IP's of your Relay servers being set as the DNS servers on the device(s) you're looking to protect.

    Because of how Twingate works, in this instance, anything that is not defined as a Twingate resource will be automatically forwarded on to the DNSFilter servers for resolution, and will be allowed or filtered as per the rules you have configured on your DNSFilter policy. 

    No extra configuration is required on either side to have everything work correctly.

    If you use the DNSFilter Roaming Client

    The DNSFilter Roaming Client is a device level agent that is installed on your device(s) and acts as a DNS forwarder, capturing and sending your DNS requests to the DNSFilter servers.

    As part of the Roaming Client startup process, the application attempts to make some "test" DNS requests over TCP and UDP - and as part of doing what Twingate does, we will prevent these (to ensure no DNS requests get handled without our involvement/connections missed, etc). The client interprets these failures as indication that there's no internet connectivity, and the device can end up with limited or no internet connectivity as a direct result.

    However, all of the DNSFilter Roaming Clients can be configured to use DNS-over-TLS which is a secure/encrypted method of sending DNS requests which is not blocked by default when the Twingate client is installed.

    This configuration change is easily accomplished through a registry edit on Windows, or a configuration file edit on macOS as follows:

    Windows Devices:

    After installing the Windows roaming client, you may create the following registry key value to set “tcp-tls” as the preferred connection method.

    For the retail version of the roaming client:

    reg add "HKLM\Software\DNSFilter\Agent" /v UpstreamOrder /d "tcp-tls" /f

    For the MSP/whitelabel edition of the roaming client:

    reg add "HKLM\Software\DNSAgent\Agent" /v UpstreamOrder /d "tcp-tls" /f


    macOS Devices:

    1. Open the daemon.conf file for editing.

    For the retail version:

    sudo nano /Library/Application\ Support/DNSFilter\ Agent/daemon.conf

    For the MSP/whitelabel edition:

    sudo nano /Library/Application\ Support/DNSFilter\ Agent/daemon.conf
      1. Set the upstream_order as shown in the snippet below at the top of the config file.

    upstream_order = [ "tcp-tls"]


    You may need to restart the clients in order for this change to take effect, but once you have, things should be working correctly!