DNS Security - Endpoint (DarkLayer Guard - Endpoint) creates a local DNS Server that will work as a filtering engine before resolving the DNS Query performed by the user. The DarkLayer Guard DNS Server highjacks the DNS IP Address on the active Network Adapter(s) to scan for malicious websites and other web locations (servers, online ads, etc) that can potentially install malware or be used as gateways for cyber-attacks.
1. I am using a VPN product/service and DarkLayer Guard does not work
2. The DNS queries are not resolved or the DNS traffic is not being filtered
I am using a VPN product/service and DarkLayer Guard does not work
BEHAVIOR: the DNS queries are not resolved or the DNS traffic is not being filtered.
SOLUTION: this issue can be troubleshot by checking the flow below.
1. The DarkLayer Guard is compatible with the following VPN services: Cisco AnyConnect, Fortinet's FortiClient, Palo Alto's Global Protect, and any other VPN service that creates a TAP adapter that allows split-tunneling.
2. With Cisco AnyConnect, besides enabling the compatibility option in the DNS Security Endpoint settings, make sure that you split-exclude the HEIMDAL IP Addresses, otherwise, the DarkLayer Guard will not work.
3. With any other VPN product (from the ones mentioned above), it is enough to enable the compatibility option from DNS Security Endpoint settings.
If none of the steps above fix the issue, please reach out to the HEIMDAL Security Support Team.
The DNS queries are not resolved or the DNS traffic is not being filtered
BEHAVIOR: the DNS queries are not resolved or the DNS traffic is not being filtered.
SOLUTION: this issue can be troubleshot by checking the flow below.
1. Before checking any settings, make sure that if you have a Firewall/Proxy, you have whitelisted the HEIMDAL Security IP Addresses/domains and Ports. Also, make sure you are not using a VPN product that is not compatible with the DNS Security Endpoint.
2. Check the Internet Protocol Version 4 (TCP/IPv4) and/or Internet Protocol Version 6 (TCP/IPv6) to see if the DarkLayer Guard DNS IP Address is set:
For IPv4 you should see 127.7.7.x.
For IPv6, you should see fe80::wwww:xxxx:yyyy:zzzz.
If these IP Addresses are present, open an incognito/private window and try accessing notblockedbyheimdalsecurity.com. You should see the HEIMDAL Security block page (saying that your endpoint is protected).
3. If the DarkLayer Guard DNS IP Addresses are not present and instead, you see your own DNS IP Addresses (whether they are set statically or automatically, by the DHCP Server), it means the DarkLayer Guard didn't succeed in setting the 127.7.7.x or fe80::wwww:xxxx:yyyy:zzzz. The next thing to try is to restart the Heimdal DarkLayer Guard service. To do that, you need the Heimdal LogTracer (to disable the Tamper Protection) and then run Windows Services (run services.msc as an Administrator) to restart the Heimdal DarkLayer Guard service. Stopping the Heimdal DarkLayer Guard service restores the DNS IP Addresses to the initial configuration. After restarting the service, check again and the DNS IP Addresses set on IPv4/IPv6. If they are not present, proceed with the next step.
If none of the steps above fix the issue, please reach out to the HEIMDAL Security Support Team.