Best Practices for Configuring Private DNS with Twingate

additional resources

Help Center ↗

Changelog

FAQ

Twingate Trust Center

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

While it is not a requirement, Twingate recommends that your network be configured so that Resources are accessible via private DNS exclusively because it offers several advantages over using IP addresses or public DNS:

Public DNS entries for private Resources (on the private network) creates a potential leak of information that could be leveraged by attackers and is unnecessary.
Accessing Resources by IP address can be error-prone and not user-friendly for end users.
It is possible to encounter IP overlap (e.g. 10.0.1.34 being used for 2 separate Resources on 2 separate Networks). Using DNS names instead of IP addresses removes the ambiguity and allows you to connect to both Resources, even if they have been assigned the same private IP address.

Setup and Structure

Setting up a private DNS zone is easier now than it's ever been!

Services like AWS Route 53 and Azure DNS eliminate the need to deploy a dedicated DNS server yourself.

For on premises networks, you will usually want to deploy a DNS server on a host on the internal network.

Thinking about your DNS structure before deploying will pay off in the end.

For example, it can be very useful to define DNS zones that map to permissions or roles you’d like to configure in Twingate.

To do this, let’s define the following DNS zone: .engineering.yourcompany.com with all engineering systems under it:

host1, host2 and host3 are all part of the DNS zone and can be resolved at host[n].engineering.yourcompany.com

With this in mind, you can simply create a single Twingate Resource pointing to the DNS Zone:

And we can now map this Resource to a Twingate Group for Engineering:

Great! With this setup, any new systems added underneath .engineering.yourcompany.com will automatically be accessible to the engineering team, saving you from needing to configure these Resources manually.

What You Need To Know About Resource and Connector Placement

Who's In Charge of Domain Name Resolution?

In Twingate, the resolution of FQDNs is done by the Connector (in the same way any host on the same subnet as the Connector would).

If you want to confirm that a Connector will be able to resolve hostX.Y.mycompany.com, simply log into the Connector host and run the following command:

nslookup hostX.Y.mycompany.com

Alternatively, there is an option to use a custom DNS server for the Connector, but it can make configuration a bit more difficult, therefore we recommend leveraging whatever DNS servers are configured on the Connector host.

Last updated 8 months ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

How NAT Traversal Works

Encryption in Twingate

API

Getting Started with the API

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Best Practices

Updating Connectors

Advanced Connector Management

Resources

Remote Networks

Aliases

Usage-based Auto-lock

Ephemeral Access

Team

Users

Groups

Identity Providers

Security Policies

Policy Guides

Two-Factor Authentication

Devices

Client Application

Managed Devices

Device Administration

Services

Headless Clients

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Network Traffic

User Activity

Syncing Data to AWS S3

Internet Security

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Exit Networks

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Cancel Your Subscription