To ensure your EnforceDNS service functions correctly, please update your firewall and
VPN settings to allow outbound traffic to the following IPs and domains.
Configuration Requirements
Please ensure that outbound traffic is permitted for the following resources:
UDP traffic on port 53 and TCP
traffic on ports 53 and 443
45.39.53.53
35.71.179.113
dns.anycast.threater.ai
If your organization uses SSL inspection, please ensure these domains and IPs are
included in your allowlist to prevent connection issues.
Configuration for Advanced Use Cases
Once the EnforceDNS Agent is installed and running, you can configure how it behaves across your environment. These configuration options are designed to support advanced use cases like split-horizon DNS, internal domain resolution, Safe Search enforcement, and more.
These settings help ensure the EnforceDNS Agent operates efficiently in both internal and external environments, balancing security with usability. In the sections that follow, you'll learn how to configure each option step-by-step.
Configuration only needs to be completed once, typically during initial setup or when making changes to your organization’s security or network policies. Once saved, your settings will automatically apply to all deployed agents within your organization. You do not need to reconfigure the agent on each device.
These configuration settings only apply to Windows and macOS deployments.
These configuration settings can be found in the threatER EnforceDNS Portal under Settings (gear icon)> Organization Settings> EnforceDNS Agent> Settings
The available configuration options include:
Local Resolution Settings
More Details for Configuring Local Resolution Settings
What it is:
Local Resolution Settings allow the EnforceDNS Agent to resolve internal domain names using your organization’s internal DNS infrastructure. This ensures that private or internal services—like intranet portals, authentication servers, or application endpoints—are resolved locally rather than being sent to external DNS resolvers.
This configuration consists of two components:
Local Domains: The internal domains you want to resolve locally.
Local Resolvers: The internal DNS servers that will be used to resolve those domains.
Why you’d configure it:
To ensure seamless access to internal systems while keeping sensitive DNS traffic inside your trusted network. It improves performance, prevents resolution failures, and avoids exposing internal domain names to public DNS resolvers.
If you don’t configure it (or configure it incorrectly):
Internal domains may not resolve, breaking access to critical services.
DNS queries for sensitive internal domains may be sent to external resolvers, increasing the risk of exposure.
EnforceDNS Agents will be unable to properly differentiate internal DNS traffic, especially in split-horizon environments.
How to configure it:
In the Local Domains field:
Enter each internal domain that should resolve through your internal DNS infrastructure.
Each domain must include a second-level domain (SLD) and top-level domain (TLD).
In the Local Resolvers field:
Enter the IP address(es) of your internal DNS servers.
Use valid IPv4 or IPv6 addresses only.
Save the configuration at the bottom of the page.
Split-Horizon DNS & Local Resolution Settings
Split-Horizon DNS and Local Resolution Settings enable the EnforceDNS Agent to determine whether a device is inside or outside your organization’s network and to route DNS queries accordingly. These settings ensure that internal domains resolve through the correct DNS infrastructure and that the Agent applies the appropriate behavior based on the network environment.
Configuring Split-Horizon DNS & Local Resolution Settings
Split-Horizon DNS: Local Network Test
What it is
A test the EnforceDNS Agent performs to determine whether a device is on a trusted internal network. The Agent queries a domain that resolves differently inside your organization and checks whether the returned value matches the expected internal IP address.
Why you’d configure it
Configuring Split-Horizon DNS allows the Agent to recognize internal networks and route internal-only domains through the correct DNS servers. This is essential for accessing private applications, preventing internal traffic from being sent externally, and ensuring that policies designed for trusted networks behave correctly.
If you don’t configure it
The Agent assumes the device is always external. This may prevent internal domains from resolving, break access to internal applications, and cause the Agent to apply external network behavior even when the device is on a trusted internal network.
Local Resolution Settings
What it is
Local Resolution Settings define the internal domains that should always be resolved using internal DNS servers whenever the Agent detects the device on a matching internal network.
Why you’d configure it
Organizations often rely on internal subdomains, private hostnames, or on-prem services that cannot be resolved externally. Local Resolution ensures those domains are routed to the correct internal resolvers and prevents internal queries from being sent to external DNS providers.
If you don’t configure it
Internal domains may fail to resolve or may be leaked externally. Applications that depend on internal DNS will not function reliably, and internal routing rules may not be applied.
Disable Agent on Local Network
Allows the agent to automatically disable itself when it confirms the device is on a trusted internal network (requires Local Network Test to be configured).
Configuring Disable Agent on Local Network
What it is:
This option allows the agent to automatically disable itself when it detects that it's on a trusted internal network.
Why you’d configure it:
To reduce unnecessary DNS enforcement or prevent conflicts with internal DNS policies while on a secure internal network. Useful for environments that already monitor DNS internally or have strict internal routing setups.
If you don’t configure it (or configure it incorrectly):
The agent will continue enforcing policies and intercepting DNS—even on internal networks—potentially leading to duplicate logging, policy conflicts, or unnecessary complexity.
Note: This setting requires the Local Network Test to be properly configured.
How to configure:
Configure Split-Horizon DNS: Local Network Test (instructions above)
Enable ‘Disable Agent on Local Network’
Save the configuration at the bottom of the page.
Safe Search
Enforce Safe Search on supported search engines including Google, YouTube, Bing, and DuckDuckGo.
Configuring Safe Search
What it is:
This setting forces Safe Search to be enabled on supported search engines (Google, YouTube, Bing, and DuckDuckGo), helping filter out explicit or inappropriate content.
Why you’d configure it:
To support compliance with internet safety policies, especially in education, public sector, or regulated industries. It adds a layer of content control at the DNS level.
If you don’t configure it:
Users can disable Safe Search in their browser or search engine settings, and DNS will not enforce restrictions—potentially exposing the organization to policy violations or inappropriate content.
How to configure:
Enable ‘Safe Search’
Save the configuration at the bottom of the page.
Allow Employee to Temporarily Disable Agent
Permit end users to disable the agent for up to 15 minutes at a time—helpful in scenarios like accessing captive portals on public Wi-Fi.
Configure Allowing Employees to Temporarily Disable the Agent
What it is:
This optional setting allows end users to disable the EnforceDNS Agent for 15 minutes at a time.
Why you’d configure it:
To give users flexibility when encountering restrictive environments like captive portals (e.g., hotel or airport Wi-Fi login pages) that may require temporary DNS bypassing.
If you don’t configure it:
Users may not be able to complete logins or network registration on certain public Wi-Fi networks, leading to access issues and increased support tickets.
How to configure:
Enable ‘Allow Employees to Temporarily Disable Agent’
.svg){kind=logo}