Skip to main content
Skip table of contents

Troubleshooting Guide

Block Page

Issue

A customized block page has been enabled. However, users are receiving an error upon traveling to blocked domains instead of the block page.

This is likely due to the use of an outdated Agent. Please update to the latest version of the Agent. If issues still persist, see below.

Solution

It’s likely that HYAS Protect is either blocking a malicious site, or blocking access to a site that is against your company’s policies. You’re seeing this warning because HYAS Protect is attempting to display a “block page” instead of the actual site. In order for the block page to be shown for sites served over HTTPS without generating browser errors, the HYAS Root Certificate Authority (CA) must be installed on your device. You can download and find instructions for installing the HYAS Root CA files on your device at http://ca.hyas.com .

Unable to Connect to the Internet

Issue

When using the HYAS Protect Agent, users are unable to connect to a public WiFi network.

Solution

Public WiFi’s often include a captive portal. This is where you can agree to the network’s Terms of Service before being granted access to the internet. All captive portals behave a bit differently and on occasion, it may be necessary to temporarily disable the HYAS Protect Agent to allow for connection to the public WiFi. Once connected, then you can reenable the Agent. Other methods to accomplish this will be available in Q2 2024, but until then please perform the following tasks to temporarily disable the Agent:

Mac OS

Windows

HYAS Protect Relay

DNS traffic not displaying in the UI

Issue

When deploying the HYAS Protect Relay on a Windows machine, DNS traffic is not showing in the HYAS Protect UI.

Solution

Port 53 on each IP address supports only one listening process, in accordance with standard IP network design.

On the external interface, the HYAS Protect Relay process must occupy this port to handle incoming DNS traffic. Depending on the configuration of local domains, it can subsequently forward requests to the Windows DNS service, if necessary. However, prior to this, the Windows DNS service must cease listening on port 53.

Instructions on how to configure the Relay to listen on port 53:

Checking which processes are listening on port 53

  • In PowerShell, run the following command to check for processes listening on port 53 and their associated IP addresses.

POWERSHELL 
netstat -an | Select-String 53 | Select-String listen

  • This command retrieves TCP connections listening on port 53 and displays the local IP address and port.

  • When configured properly, the output will look similar to this:

POWERSHELL 
PS C:\Users\Administrator> netstat -an | Select-String 53 | Select-String listen

  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:53           0.0.0.0:0              LISTENING
  TCP    [::]:5357              [::]:0                 LISTENING
  TCP    [::1]:53               [::]:0                 LISTENING
  TCP    [fe80::608c:dc7e:e701:f49f%14]:53  [::]:0                 LISTENING

  • In this scenario, port 53 is currently utilized by the localhost IPv4 (127.0.0.1), localhost IPv6 (::1), and the fe80:xxx IPv6 address. However, the Windows DNS server is not configured to listen on the IP address of the domain controller (10.0.10.98), as observed.

If port 53 is not currently in use by the localhost, you can configure it to do so by following these steps:

  1. Navigate to your Windows DNS Server and right-click and select “DNS Manager”

  2. From here, you should see all of your DNS Servers. Next, right-click each one and select “Properties”

  3. Now, select the “Interfaces” tab:

You may need to restart the DNS service for the changes to take effect

  1. In this example, we’ll need the Windows DNS Server to stop listening on 10.0.10.98.

    1. To do this, unselect the check box next to 10.0.10.98 and click “OK”

    2. You may need to restart the DNS service for the changes to take effect

    3. Although not explicitly displayed in the user interface, it's important to note that the Windows DNS server also listens on port 53 of the IPv4 localhost (127.0.0.1) and IPv6 localhost (::1).

  2. For this example, the dnsproxy.yaml file looks like:

    YAML 
    dns:
  bind_hosts:
    - 10.0.10.98
  port: 53
  upstream_dns:
    - https://a.b.c.d/dns-query (the default Protect resolvers)
    - '[/your-local-domain-here/]127.0.0.1'

  3. The HYAS Protect Relay will be configured to bind to port 53 on the IP address 10.0.10.98 to accept DNS requests. Requests for local domains will be forwarded to 127.0.0.1, port 53, where the Windows DNS server is operational. DNS queries for non-local domains will be routed to the HYAS Protect Resolvers and thus shown in the HYAS Protect UI.

Last Modified by:

@a user (13 days ago)

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close