BloxOne Endpoint bypass in combination with FQDN and a probe token, are used by BloxOne Endpoint to identify that Endpoint is on-prem and is following the configured on-prem policies. To verify BloxOne Threat Defense probe responses, BloxOne Endpoint periodically sends DNS queries from a non-resolvable probe domain to default resolvers to avoid the possibility of “spoofed” responses. In cases where a domain is not expected to resolve, then any subdomains of the domain will also not resolve. For instance, if some-domain.com is configured as a probe domain, then mail.some-domain.com would also not resolve.

...

Enabling BloxOne Endpoint Protected Bypass Mode on Windows Devices Enabled by Default

By default, Windows devices come with Smart Multi-Homed Name Resolution (SMHN) enabled. This causes DNS requests to be sent across all network interfaces. When a VPN connection is established, it allows all connected devices to resolve TXT records. For effective internal network detection, it is necessary to disable SMHN on Windows laptops. This can be achieved either automatically through the VPN software or manually via group policy settings. If the VPN client does not automatically disable SMHN upon connection, administrators should manually disable it using group policy configurationsconfigurations. 

Disabling Probing Requests

...