In the modern era of the hybrid workforce, the traditional corporate perimeter is a thing of the past. Employees have the freedom to connect from home, airport lounges, international hotels, and everywhere in between. While this is a win for productivity, it can be a headache for IT teams who have zero control over the network configuration.
Until now, roaming security relied on DNS redirection. While effective, this approach often faced hurdles: Restrictive guest Wi-Fi that blocks DNS changes, complex VPN conflicts, and "leaky" IPv6 environments.
Today, we’re removing that friction with the launch of DNS PreCheck.
DNS PreCheck is a next-generation filtering mode for DNSFilter Roaming Clients (currently available for Windows Roaming Client v3.2.0+). Instead of forcing a device to change its DNS settings to redirect traffic to the cloud, DNS PreCheck processes filtering directly on the local device. It uses a transparent proxy to intercept and validate DNS queries at the network stack level. This means security policies are enforced at the source—before the query even leaves the device.
Some traditional roaming agents use "loopback" addresses (127.0.0.1) that can conflict with local printers, internal domains, or third-party networking tools. Because DNS PreCheck uses a transparent proxy, it provides conflict-free enforcement. It protects the device without touching the Network Interface Card or NIC settings, eliminating the "broken internet" tickets that plague IT help desks.
As networks modernize, IPv6 has become a common security blind spot. Many legacy agents only filter IPv4, allowing requests to "leak" through unprotected IPv6 paths. DNS PreCheck offers native support for both protocols, ensuring that your filtering policies are enforced regardless of how a user connects.
There are times when restrictive networks end up blocking all connectivity, which makes for a terrible user experience. DNS PreCheck features a configurable fail-open architecture. If the filtering service is unreachable, DNS PreCheck prioritizes user productivity by maintaining the connection while alerting admins. This greatly improves the user experience and keeps employees productive.
DNS PreCheck is designed to work alongside your existing stack. By operating at a different layer than traditional redirection, it significantly reduces alerts and conflicts with VPNs or other endpoint security tools.
Setting up DNS PreCheck is incredibly easy. The only prerequisite is having DNSFilter’s Windows Roaming Client version 3.0.0 or higher. From the Roaming Client page, open the Control Center, select Connection & Filtering Mode, and choose the DNS PreCheck option. Save your selection, and that’s it. If you’re a current DNSFilter customer, please note that you’ll need to turn this function on—it will not be deployed automatically. Once you toggle on DNS PreCheck, the agent automatically cleans up legacy loopback entries for a seamless transition.
With the launch of DNS PreCheck, DNSFilter now offers the most flexible content filtering deployment options in the industry. Whether you need the power of Classic DNS Filtering through our global Anycast network or the local resilience of DNS PreCheck for your remote travelers, you no longer have to choose between security and speed.
Sign up for a free trial and test DNS PreCheck today.