Overview
Microsoft Defender for Endpoint and EnforceDNS Agents are both excellent solutions for Protective DNS. However, they’re solutions that need to remain independent of each other.
Why MDE and EnforceDNS Agents Can’t Be Deployed Together
The two methods use fundamentally different mechanisms to intercept and route DNS traffic, and they collide at the OS level when both are present on the same device.
The EnforceDNS Agent works as a local DNS proxy. It installs on the endpoint, points the OS to use 127.0.0.1:53 for DNS, and routes all DNS queries through itself to the EnforceDNS cloud resolver. It owns DNS at the device level.
The MDE integration works by having Microsoft Defender for Endpoint collect DNS telemetry from the device and stream it via an Event Hub to EnforceDNS for analysis and verdict enforcement. MDE is doing its own DNS-level data collection and enforcement through its own kernel-level sensor.
What Happens If MDE and an Agent are on the Same Device
When both are running on the same device you get:
-
Two things trying to own or intercept DNS traffic simultaneously
-
The Agent's local DNS proxy conflicting with MDE's sensor collection
-
EnforceDNS and local domain bypass logic breaking because the local network traffic flow isn't what the Agent expects
-
Check-in failures and AD timeouts because the underlying DNS resolution the Agent depends on is being disrupted
Conflicting DNS routing causes issues on the device. MDE-targeted devices should not use the EnforceDNS Agent, and any manual DNS configurations should be disabled.
Conclusion
Both methods work well independently, but they are solving the same problem through different mechanisms and stepping on each other when combined.