Troubleshooting Guide

Windows (Command Prompt or PowerShell):

sc query "HYAS Protect"

• STATE: RUNNING → Agent is installed and active.

• The specified service does not exist → No agent installed (DNS may still be configured to HYAS Protect via network settings).

macOS (Terminal):

launchctl list | grep application.com.hyas

• Output shows process ID if installed and running.

• No output means agent not installed.

Windows:

ipconfig /all

Check DNS Servers:

• If 127.0.0.1 → Agent in use.

• If other addresses (corporate DNS or HYAS Protect resolvers) → HYAS Protect may still be active via network configuration.

macOS:

scutil --dns | grep 'nameserver'

• 127.0.0.1 → Agent in use.

• Other IPs → Network-level DNS configuration.

If DNS servers show neither 127.0.0.1 nor HYAS resolvers, check for misconfiguration or VPN overrides.

HYAS Protect requires outbound UDP and TCP port 53 to:

• 127.0.0.1 (loopback)

• HYAS Protect upstream resolvers

Blocking either loopback (127.0.0.1) or HYAS Protect resolvers will cause DNS lookups to time out.

Open the command line tool and run:

ping 8.8.8.8 

This uses Google’s public IP to bypass DNS and confirm raw internet reachability.

• Windows: Stops after 4 replies

• macOS: Press Control + C to stop

• Successful replies = Internet is reachable (proceed to DNS tests).

• Timeouts = General network issue (not DNS-related).

Run:

nslookup google.com 

• Valid IP returned = DNS functional.

• NXDOMAIN = May indicate intentional block (policy).

• Timeout/Server not found = Connectivity or DNS misconfiguration..

Note: If using the agent, Server: 127.0.0.1 is expected. Without the agent, DNS may point to HYAS Protect resolvers or corporate DNS servers.

Results:

• Valid IP = DNS Functional

• NXDomain = Domain intentionally blocked by HYAS

• Timeout / Server not found = Misconfiguration or firewall issue

If DNS resolution fails, you can test whether the issue is specific to HYAS Protect by querying a public resolver (e.g., Google DNS at 8.8.8.8):

nslookup google.com 8.8.8.8

1. Check the Results

   • If public DNS resolves but HYAS Protect does not:
     HYAS Protect is likely blocking the domain per policy or there’s an issue with the agent’s upstream configuration.

   • If neither HYAS Protect nor public DNS resolves:
     The domain itself may be offline or misconfigured.

If you see timeouts, confirm firewall allows outbound UDP/TCP 53 as described in baseline checks.

NXDOMAIN vs Timeout

• NXDOMAIN: Intentional block by HYAS Protect

• Timeout: Connectivity issue, misconfiguration, or firewall blocking UDP/TCP 53

Temporarily disable or stop the agent:

• If internet works without agent → Likely HYAS Protect configuration/policy issue

• If internet still fails → Issue unrelated to HYAS Protect

Run ping and nslookup from another device on the same network:

• Works → Issue is local

• Fails → Network-wide problem

Sometimes cached failures can cause persistent errors. To clear the cache, perform the following:

Windows:

ipconfig /flushdns 

macOS:

sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

1. Confirm whether the user is connected to a corporate or third-party VPN.

2. Temporarily disconnect the VPN and re-run the ping and nslookup tests:

   • If DNS works without VPN but fails with VPN → VPN configuration likely overrides HYAS Protect.

   • If DNS fails both with and without VPN → Issue is unrelated to VPN.

Windows:

ipconfig /all 

macOS:

scutil --dns | grep 'nameserver'

1. Check if DNS is set to 127.0.0.1:

   1. If not 127.0.0.1 → VPN is forcing DNS through its own resolvers (HYAS Protect bypassed).

   2. If 127.0.0.1 but DNS queries fail → VPN may be blocking loopback traffic or outbound DNS.

1. Full Tunnel VPN: Routes all traffic (including DNS) through VPN — HYAS Protect may not function unless explicitly allowed.

2. Split Tunnel VPN: Routes only corporate subnets through VPN — HYAS Protect can still operate normally.

Note: If your organization enforces full tunnel, ensure HYAS Protect is deployed on the VPN DNS path or exceptions are configured.

1. Some VPN clients enforce strict firewall rules that block outbound DNS or loopback traffic.

2. Ensure UDP/TCP port 53 is allowed to 127.0.0.1 and HYAS Protect upstream resolvers.

While connected to VPN, test a public DNS resolver directly:

nslookup google.com 8.8.8.8

1. If public DNS resolves but HYAS Protect does not: VPN is likely interfering with HYAS Protect’s DNS proxy.

2. If neither resolves: Connectivity issue may be broader (check VPN connection health).

1. Navigate to http://apps.hyas.com >Organization Settings>Protect Agent>Manage

   1. Select the device you wish to obtain troubleshooting logs for and select Actions>Run Diagnostics.

This will populate the troubleshooting logs in apprx 10 mins.

1. Determine if the issue occurs only for internal corporate domains (e.g., intranet.company.com) or for public domains as well.

2. If only internal domains fail → Split-horizon DNS misalignment is likely.

Run the following tests:

Default (HYAS Protect active):

nslookup intranet.company.com 

Public DNS (bypass HYAS Protect):

nslookup intranet.company.com 8.8.8.8 

Expected Results:

• Internal domains should resolve to internal/private IP addresses when on corporate network or VPN.

• If HYAS Protect returns NXDOMAIN or wrong IP while public DNS gives a different result, split-horizon misalignment is confirmed.

1. Connect to the corporate VPN and re-run the same nslookup tests.

2. If the domain resolves correctly only when VPN is active:
   Internal DNS zones are only accessible via VPN and may not be configured in HYAS Protect.

3. If the domain fails both on and off VPN:
   Likely not a split-horizon issue — check general DNS troubleshooting steps.

1. Check whether your organization has provided HYAS Protect with internal DNS zone information.

2. Internal zones may need to be configured or excluded within HYAS Protect policies to avoid public resolution attempts.

• Temporarily bypass HYAS Protect for internal domains by manually adding internal DNS server IPs to system settings (testing only, not a permanent solution).

• Confirm if resolution works correctly through corporate DNS directly.

1. Navigate to http://apps.hyas.com >Organization Settings>Protect Agent>Manage

   1. Select the device you wish to obtain troubleshooting logs for and select Actions>Run Diagnostics.

This will populate the troubleshooting logs in apprx 10 mins.

1. Determine if the failing domain is local-only:

   1. Check if it ends with .local, .lan, or another internal suffix.

   2. Check if it resolves to a private IP range (e.g., 192.168.x.x, 10.x.x.x, 172.16.x.x).

2. If the domain does not exist publicly and only resolves internally → local domain issue is likely.

Run the following command:

nslookup printer.local 

Expected Result:

• If HYAS Protect is unaware of the local domain, you may see:

** server can't find printer.local: NXDOMAIN 

Try resolving using the device’s IP directly to confirm the service is reachable: (example IP only)

ping 192.168.1.50 

If the IP works but hostname does not, the issue is strictly DNS-related (likely local domain resolution).

Local domains typically require resolution via internal/local DNS servers or mDNS:

1. Confirm whether your organization has configured search domains or conditional forwarding for local zones in HYAS Protect.

2. If not configured, HYAS Protect will forward these queries to public DNS and fail.

1. Temporarily bypass HYAS Protect for local domains:

   1. Add local DNS server IPs manually to system DNS configuration (testing only).

2. Alternatively, add the hostname and IP to the local hosts file (not recommended for permanent fix).

1. Navigate to http://apps.hyas.com/ >Organization Settings>Protect Agent>Manage

   1. Select the device you wish to obtain troubleshooting logs for and select Actions>Run Diagnostics.

This will populate the troubleshooting logs in apprx 10 mins.

First, verify whether the connectivity problem affects all websites or only specific ones.

1. Open the Command Line Tool:

   1. Windows: Press Windows + R, type cmd, and press Enter.
      (Alternatively, search for "Command Prompt" in the Start menu.)

   2. macOS: Press Command + Space, type Terminal, and press Enter.

2. Run the Ping Command:

   1. In the window that opens, type:

      1. CODE

         ping 8.8.8.8

   2. On Windows, it will automatically stop after 4 replies.

   3. On macOS, it will keep running until you stop it with Control + C.

3. Check the Results:

   1. If you see replies like this, you have basic internet connectivity:

      1. Windows:

         1. CODE

            Reply from 8.8.8.8: bytes=32 time=14ms TTL=117

      2. macOS:

         1. CODE

            64 bytes from 8.8.8.8: icmp_seq=0 ttl=117 time=14.1 ms

   2. If you see timeouts, your device may be offline or blocked from reaching the internet:

      1. Windows:

         1. CODE

            Request timed out.

      2. macOS:

         1. CODE

            Request timeout for icmp_seq 0

If the ping test succeeds, test whether DNS resolution via HYAS Protect is working. The HYAS Protect Agent uses a local DNS proxy (127.0.0.1) to forward queries to HYAS resolvers.

1. Open the Command Line Tool:

   1. Windows: Press Windows + R, type cmd, and press Enter.
      (Alternatively, search for “Command Prompt” in the Start menu.)

   2. macOS: Press Command + Space, type Terminal, and press Enter.

2. Run the Nslookup Command:

   1. In the window that opens, type:

      1. CODE

         nslookup google.com

   2. On Windows or macOS, this queries your configured DNS server (should be HYAS Protect if properly configured).

3. Check the Results:

   1. If you see a valid IP address, DNS resolution is working:

      1. Example (Windows/macOS):

         1. CODE

            Server:  127.0.0.1
            Address: 127.0.0.1#53
            
            Non-authoritative answer:
            Name:    google.com
            Address: 142.250.72.14

      2. Note: Seeing 127.0.0.1 as the server is expected with the HYAS Protect Agent, because it proxies DNS through the local loopback address.

      3. Important: HYAS Protect resolvers do not respond to ICMP (ping) requests. Use nslookup or dig to test DNS resolution — do not attempt to ping the HYAS resolvers directly.

   2. If you see an NXDOMAIN or non-existent domain message, it may indicate blocking:

      1. HYAS Protect may return NXDOMAIN (no such domain) if the site is blocked by policy.

         1. Example:

            1. CODE

               ** server can't find examplemalware.com: NXDOMAIN

   3. If you see “Timed out” or “Server not found,” DNS is not responding:

      1. Could be misconfiguration or inability to reach HYAS Protect resolvers.

         1. Example:

            1. CODE

               DNS request timed out.
               timeout was 2 seconds.

               1. This indicates the HYAS Protect Agent cannot reach upstream DNS servers or is misconfigured. Check network connectivity or restart the agent.

Verify that your system is correctly pointing to the HYAS Protect Agent (loopback):

Windows:

ipconfig /all 

• Look for 127.0.0.1 under DNS Servers.

macOS:

scutil --dns | grep 'nameserver'

• Confirm the DNS server shows 127.0.0.1.

If DNS still fails after the above steps, perform deeper troubleshooting:

1. Enable/Disable the Agent

   1. Temporarily disable the HYAS Protect Agent (or stop the service) and re-test connectivity.

   2. If internet works without the agent: The issue is likely within HYAS Protect configuration or policy.

   3. If internet still fails without the agent: Problem is unrelated to HYAS Protect (check network/firewall).

2. Test from Outside the Device

   1. From another device on the same network, perform the same ping and DNS tests.

   2. If other devices work: Issue is local to the original machine.

   3. If other devices fail too: Check upstream network/firewall settings.

3. Firewall and Outbound DNS

   1. Ensure your firewall allows outbound DNS queries (UDP/TCP port 53) to HYAS Protect resolvers.

   2. Blocking outbound DNS will cause timeouts during nslookup.

Generate Troubleshooting Logs

HYAS Protect uses an SSL-intercepting proxy to display custom block pages for HTTPS sites. To do this, it generates SSL certificates on the fly. If the HYAS Root Certificate Authority (CA) is not installed on your device, this can result in browser SSL warnings or errors.

You're seeing this warning because HYAS Protect is blocking access to a site—either because it’s malicious or it violates your organization's policies—and is attempting to show a block page in its place. To properly view these block pages without SSL errors, the HYAS Root CA must be installed on your device.

You can download the HYAS Root CA and follow installation instructions at: http://ca.hyas.com

Port 53 on each IP address supports only one listening process, in accordance with standard IP network design.

On the external interface, the HYAS Protect Relay process must occupy this port to handle incoming DNS traffic. Depending on the configuration of local domains, it can subsequently forward requests to the Windows DNS service, if necessary. However, prior to this, the Windows DNS service must cease listening on port 53.

Instructions on how to configure the Relay to listen on port 53:

Checking which processes are listening on port 53

• In PowerShell, run the following command to check for processes listening on port 53 and their associated IP addresses.

netstat -an | Select-String 53 | Select-String listen

• This command retrieves TCP connections listening on port 53 and displays the local IP address and port.

• When configured properly, the output will look similar to this:

PS C:\Users\Administrator> netstat -an | Select-String 53 | Select-String listen

  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:53           0.0.0.0:0              LISTENING
  TCP    [::]:5357              [::]:0                 LISTENING
  TCP    [::1]:53               [::]:0                 LISTENING
  TCP    [fe80::608c:dc7e:e701:f49f%14]:53  [::]:0                 LISTENING

• In this scenario, port 53 is currently utilized by the localhost IPv4 (127.0.0.1), localhost IPv6 (::1), and the fe80:xxx IPv6 address. However, the Windows DNS server is not configured to listen on the IP address of the domain controller (10.0.10.98), as observed.

If port 53 is not currently in use by the localhost, you can configure it to do so by following these steps:

1. Navigate to your Windows DNS Server and right-click and select “DNS Manager”

   

2. From here, you should see all of your DNS Servers. Next, right-click each one and select “Properties”

   

3. Now, select the “Interfaces” tab:

   

You may need to restart the DNS service for the changes to take effect

4. In this example, we’ll need the Windows DNS Server to stop listening on 10.0.10.98.

   1. To do this, unselect the check box next to 10.0.10.98 and click “OK”

   2. You may need to restart the DNS service for the changes to take effect

      

   3. Although not explicitly displayed in the user interface, it's important to note that the Windows DNS server also listens on port 53 of the IPv4 localhost (127.0.0.1) and IPv6 localhost (::1).

5. For this example, the dnsproxy.yaml file looks like:

   YAML

   dns:
     bind_hosts:
       - 10.0.10.98
     port: 53
     upstream_dns:
       - https://a.b.c.d/dns-query (the default Protect resolvers)
       - '[/your-local-domain-here/]127.0.0.1'

6. The HYAS Protect Relay will be configured to bind to port 53 on the IP address 10.0.10.98 to accept DNS requests. Requests for local domains will be forwarded to 127.0.0.1, port 53, where the Windows DNS server is operational. DNS queries for non-local domains will be routed to the HYAS Protect Resolvers and thus shown in the HYAS Protect UI.