Choosing a Deployment Type: Static Locations vs Roaming Devices
Learn about the two deployment types available in CyberFOX DNS Filtering — Static Locations and Roaming Devices — and how to choose the right one for your environment.
Written by Owen Parry
Updated at May 19th, 2026
Table of Contents
Overview
This knowledge base page overviews the two specific deployment types you can configure to use the CyberFOX DNS service: Static Locations and Roaming Devices. Each deployment type has its unique configuration and use cases, ensuring your network's flexibility and security.
Note: DNS-based filtering does not decrypt HTTPS traffic. This can impact how blocked pages appear in browsers. See: Why Block Pages Do Not Appear on Some Websites (HTTPS / HSTS)
Static Locations
You only need to follow a few straightforward steps to set up CyberFOX DNS filtering for a location. Static locations are tied to physical IP addresses, and IP-based policies are used to manage DNS requests. This setup is ideal for offices, data centers, or any fixed locations where devices connect to a specific network. It provides straightforward network protection without the need to secure devices outside this network.
Hyper-V and Virtualized Environments
If you are running a Hyper-V host (or any other hypervisor such as VMware), do not attempt to install the DNS Filtering agent on virtual machines hosted on that server. The agent binds to port 53 on the local machine, and this conflicts with the Hyper-V host's internal DNS service, which already owns that port — the agent will fail to start.
The correct approach for these environments is a Static Location configured at the perimeter firewall or router. Point the outbound DNS forwarder on the firewall to the CyberFOX DNS IPs, and the entire network — including all VMs on the Hyper-V host — will be filtered without any per-machine agent installation.
The DNS Filtering agent is intended for physical roaming endpoints only (laptops and workstations that leave the network). See: Using the DNS Filtering Agent (Windows).
This configuration offers general, non-specific reporting by location and is particularly useful when you cannot control the user’s endpoint or install software, such as with guest Wi-Fi. You can still enforce filtering policies even without control over the device.
To configure this, you need to modify the DNS forwarder settings on your network to point to the CyberFOX DNS resolver IP addresses. This adjustment can be made at the firewall, router, or modem level, depending on what manages your outbound traffic. For the current IP addresses and required ports, see: IP Addresses and URLs to Allowlist
.png)
Roaming Devices
Roaming devices are designed to move seamlessly between networks while utilizing DNS over HTTPS (DoH), DNS over TLS (DoT) or our Agent for secure DNS queries. This deployment type is ideal for laptops, mobile devices, and any other devices that require secure DNS resolution, regardless of their physical location. It ensures that your devices remain protected whether they are in the office, at home, in an airport, or anywhere else, while providing specific reporting for each device or user.
Hyper-V and Virtualized Environments
Installing the DNS roaming agent on a Hyper-V virtual machine or other hypervisor guest is not supported. The agent requires exclusive use of port 53, which conflicts with the Hyper-V host's DNS service. For environments using Hyper-V or similar virtualization platforms, configure DNS filtering as a Static Location at the perimeter firewall or router instead. The agent should only be deployed on physical roaming endpoints (laptops, workstations) that leave the network.
Administrators can assign specific policies to a device or user, ensuring that these policies follow them wherever they go, regardless of which device they use. There are two main options for configuring devices: using DoH, DoT, or our Roaming Client software. DNS over HTTPS and DNS over TLS secure DNS queries by encrypting the DNS traffic, ensuring privacy and security across different networks. Alternatively, the Roaming Client software can be installed on devices to manage DNS requests and enforce policies directly. This software is particularly beneficial for devices that frequently switch between different networks.
We provide detailed instructions for setting up DNS over HTTPS and DNS over TLS on Windows, Linux, macOS, Android, and iOS devices. Roaming Clients for Windows can be deployed using Remote Software Management and Monitoring tools (RMMs) such as Microsoft Intune (Microsoft Endpoint Manager) or installed on a per-device basis. This flexibility enables efficient and scalable management of secure DNS resolution across various devices and locations.
