DNS requests failing when WSS Agent host with Split DNS has Microsoft Defender enabled
search cancel

DNS requests failing when WSS Agent host with Split DNS has Microsoft Defender enabled


Article ID: 273774


Updated On:


Cloud Secure Web Gateway - Cloud SWG


Users accessing internet sites via Cloud SWG using WSS Agent.

For security purposes, all DNS requests from the WSS Agent host are sent into Cloud SWG by enabling Split DNS.

Any domains that are included in Split DNS configuration cannot be accessed via Cloud SWG - connectivity related errors reported on browsers.

Disabling WSS Agent allows all sites to be reached.


WSS Agent.

Split DNS.

Microsoft Defender enabled and allowing DNS responses from local DNS server.


Defender firewall is intercepting the traffic BEFORE the WSS Agent sees and translates the DNS responses, and dropping the response as a result as it does not match an allowed rule.



Create a rule within Defender Firewall allowing DNS responses from, when Split DNS is enabled.

Additional Information

The MS Defender logs showed DNS responses from were being dropped on the local host e.g.

 “2023-08-09 09:30:14 DROP UDP 53 63836 81 - - - - - - - RECEIVE 3052”

where is the local IP address of the host.

The Split DNS setup sent all requests for the bcomnet.com domain to the local DNS server, and all DNS requests for other domains into Cloud SWG


Tracking the dropped DNS request in the Symdiag PCAPs, we see that the responses come back initially with the WSS Agent NATed IP address e.g. and not the host IP address, and from the rewritten DNS server. After the WSS Agent  processes the request and re-writes the IP addresses, the Application should see the correct IP addresses returned .

In our case, the Defender Firewall intercepted the request before the DNS server IP address was rewritten and dropped the DNS response as it did not come from the local DNS server.

Adding an allow rule to Defender allowed the response to get back to the Application and all connectivity worked.