Introduction

CyberFOX DNS Filtering protects users by blocking malicious and unwanted domains while improving compliance and productivity. If filtering isn’t working as expected—e.g., block pages don’t appear, domains aren’t being blocked, or browsers bypass policies—use this guide to diagnose and fix issues quickly.

Guided Assistance Wizard in the Portal

Use the (1) Troubleshooting page to launch the (2) Guided Assistance Wizard. Confirm that you have configured the location or installed the agent on the device before (3) Continuing to troubleshoot. Then you can filter by (4) Roaming devices or Locations that you need to troubleshoot, and follow the guided steps to check your settings.

Portal‑Driven Troubleshooting Flows

Using the troubleshooting page lets you see the status of devices or locations and provides you with information and troubleshooting guides:

Locations (router / firewall / DHCP enforced)

Use the (1) Troubleshooting page to (2) search for the device, location, or Company you need to troubleshoot. When looking at the location, you can quickly find information on:

3. Current Status at a glance
4. The last time it checked in, status, configured IP address for the location, and the last IP address it checked in from.
5. If you need to make changes, you can click on the Configure Button  to access the configuration page, or the Troubleshooting Wizard to work through the troubleshooting wizard for this location

 

 

 

 

Roaming Devices (desktop client or OS DoH/MDM profile)

Use the (1) Troubleshooting page to (2) search for the device, location, or Company you need to troubleshoot. When looking at the device, you can quickly find information on:

3. Current Status at a glance
4. The last time it checked in, status, assigned policy for the device, Fallback Mode configured, and the last IP address it checked in from.
5. If you need to make changes, you can click on the Configure Button  to access the configuration page, or the Troubleshooting Wizard to work through the troubleshooting wizard for this device

 

 

 

 

Why is the browser not showing the Block Page?

Use the Troubleshooting page for In‑portal help by clicking the Yellow “Why is my browser not showing the block page?” link at any location or device shown. It will show you step-by-step for Chrome, Firefox, Edge, macOS Safari, and device-level Secure DNS. Below are the steps to test or check:

Before testing

• Flush local DNS cache (ipconfig /flushdns, sudo dscacheutil -flushcache, or restart DNS client service).
• Pick a domain definitively blocked by your policy (not a recently changed one).
• Use the Visibility Report to compare expected vs. actual outcomes.

Disable DoH/Secure DNS quickly:

• Chrome / Edge: Settings → Privacy and Security → Security → Use secure DNS → set Off or With your current service provider.
• Firefox: Settings → Network Settings → Enable DNS over HTTPS → Off (or about:config → network.trr.mode = 5).
• Safari (macOS): System Settings → Network → → Details → Advanced → remove DoH/DoT entries; confirm CyberFOX resolvers.
• OS‑level Secure DNS (Win11/Android/iOS): Disable or ensure it uses CyberFOX profiles.
• If the block page still doesn’t show, confirm the test hits CyberFOX (query logs), ensure VPN/agents aren’t hijacking DNS, and, if needed, capture packets (tcpdump/Wireshark) while reproducing.

Why this matters: Browsers that use DoH on port 443 make DNS look like normal HTTPS and bypass the router/OS DNS—turn it off to validate filtering.

 

Location DNS Configuration (Reference)

The Location DNS Configuration button will bring you to the configuration page, which shows Anycast DNS and upstream DNS addresses, plus one-click copy and OS-specific setup steps (Windows example shown:
 

Anycast DNS addresses:

166.117.57.142
166.117.57.146

Upstream DNS (fallback) addresses:

166.117.243.181
166.117.243.23

Windows quick setup (adapter level):

1. Open Settings → Network & Internet → Advanced network settings → More network adapter options.
2. Right‑click active adapter → Properties → select Internet Protocol Version 4 (TCP/IPv4) → Properties.
3. Use the following DNS server addresses → enter CyberFOX Anycast IPs above.
4. (Optional) Enter Upstream IPs as Windows fallback.
5. Click OK, then test via Visibility Report and Test Page.

Best practice: Avoid mixing non‑CyberFOX resolvers in DHCP/router lists. Many devices use round‑robin; mixing resolvers can cause intermittent bypass.

 

Roaming Device DNS Configuration (Reference)

The Roaming Device Configuration button will bring you to the configuration page, which shows DNS over HTTPS and DNS over TLS  configurations, plus one-click copy and OS-specific setup steps (Windows example shown:
 

Windows quick setup (adapter level):

1. Open Settings → Network & Internet → Advanced network settings → More network adapter options.
2. Right‑click active adapter → Properties → select Internet Protocol Version 4 (TCP/IPv4) → Properties.
3. Use the following DNS server addresses → enter DNS over HTTPS above.
4. (Optional) Enter Upstream IPs as Windows fallback.
5. Click OK, then test via the Visibility Report and Test Page.

Best practice: Avoid mixing non‑CyberFOX resolvers in DHCP/router lists. Many devices use round‑robin; mixing resolvers can cause intermittent bypass.

 

Advanced Diagnostics

If the block page does not show:

• Check Query Log for the device/time to confirm the request reached CyberFOX.
• Verify VPN/Proxy/EDR isn’t tunneling or rewriting DNS.
• Ensure ports 53/853/443 egress to CyberFOX are allowed.
• Re‑test with a known blocked category domain and in a fresh browser profile.
• Capture a packet trace (Wireshark/tcpdump) while reproducing the issue and include it with your support ticket.

Performance issues (high latency or timeouts):

• Test with and without upstream override to compare latency.
• Check local network conditions (Wi‑Fi quality, captive portals).
• Verify no middleboxes are rate‑limiting or blocking DoH/DoT.

Quick Checklist

• ✅ DNS configuration in the portal matches router/DHCP or roaming client.
• ✅ Browser DoH/Secure DNS disabled (and OS‑level Secure DNS checked).
• ✅ CyberFOX roaming client/profile installed and running for endpoints off‑network.
• ✅ Firewall egress allows UDP/TCP 53 and 853/443 to CyberFOX.
• ✅ Validated with the Visibility Report and the Test Page (https://app.cyberfox.com/test.html).

FAQ

Q1: Why is my DNS filtering not working or the block page not appearing?
Likely a browser DoH/OS Secure DNS bypass, a mixed DNS configuration, or firewall egress blocking DNS/DoH/DoT. Disable DoH, ensure only CyberFOX resolvers are used, and open 53/853/443.

Q2: How do I disable DoH in Chrome, Edge, and Firefox?

• Chrome/Edge: Settings → Privacy and Security → Security → Use secure DNS → Off/Provider = current.
• Firefox: Settings → Network Settings → Enable DNS over HTTPS → Off (or network.trr.mode = 5).

Q3: Which ports must be open for CyberFOX DNS Filtering?
UDP/TCP 53 for DNS, 853 for DoT (where used), and 443 for DoH/agent communications.

Q4: Can I assign CyberFOX DNS directly to endpoints?
Prefer router/DHCP DNS forwarding for locations to preserve local name resolution and consistency. For off‑network users, deploy the roaming client/DoH profile.

Q5: How can I prove a policy should block/allow a domain?
Use the Visibility Report to simulate per-company/location/device and compare it to the Query Log for real traffic.

Q6: Where do I get the correct DNS IPs?
Open the Location DNS Configuration page for that site (see screenshot in Section 5) and use the Copy buttons.

Still Need Help?

• Knowledge base: https://support.cyberfox.com/dns
• Open a ticket from the Troubleshooting page (see Section 2) or contact CyberFOX Support.