macOS Agent FAQs | EnforceDNS Documentation

Why does the HYAS Protect agent stop working on macOS when a VPN connection is established?

When using full-tunnel VPNs like Palo Alto GlobalProtect (with split tunneling disabled), macOS overrides system DNS settings to prioritize internal VPN resolvers. As a result, the loopback DNS proxy used by the EnforceDNS agent (typically at 127.0.0.1:53) may be bypassed, preventing DNS queries from being inspected or sent to HYAS.

Does this issue affect Windows devices too?

No. On Windows, the DNS resolver stack handles multiple entries differently and typically continues to allow DNS traffic to reach the EnforceDNS agent — even after a VPN connection is made — provided the agent is installed and the VPN configuration is consistent with supported use cases.

Is this a HYAS-specific issue?

No, this behavior stems from how macOS handles DNS precedence and system routing when VPN connections are active. Many local DNS-based security solutions experience similar behavior unless explicitly accounted for in the VPN or OS configuration.

How can I confirm if this issue is occurring on my macOS device?

Run the following command in Terminal after connecting to the VPN:

scutil --dns

Look for 127.0.0.1 under the list of resolvers.
If it's missing or deprioritized, the agent is likely being bypassed.

To test it directly:

dig @127.0.0.1 example.com

If no response is returned, system DNS queries are not going through the local proxy.

What are the recommended workarounds to restore functionality on macOS while using a VPN?

You have a few options:

Use a split-tunnel or split-DNS VPN configuration
- This allows DNS queries meant for HYAS to bypass the VPN and reach the agent.
Manually configure macOS to prioritize the local DNS proxy
- Create a custom resolver under /etc/resolver/
- Or apply a network configuration profile that enforces DNS settings.
Engage your VPN administrator
- Ask if GlobalProtect or your VPN solution supports "No DNS Override" or similar policies that preserve local DNS routing.

How long after I install an Agent should I expect to see it in the dashboard?

The EnforceDNS Agent checks in every 5 minutes. If the machine is running and no local errors are present, you should see the device in the portal within 5 minutes.

How Do I Enable Debug Mode?

In all cases where it is suspected that the EnforceDNS Agent may be encountering an issue or may be the cause of connectivity issues it is highly recommended to enable debug logging for the Agent to capture verbose telemetry to expedite troubleshooting.

To enable Debug mode, refer to the Agent Preferences section above.

How do I view the HYAS Protect Agent's local logs?

In the Finder, show hidden folders by pressing Command + Shift + . (period)

Then, navigate to:

macintosh HD/private/var/log/com.hyas.protect

VPN

Agent Management