Supporting Unqualified Domain Names

By default, Twingate will only enable connections to fully qualified domain names or FQDNs. A fully qualified domain name specifies all domain levels, for example, employeeportal.yourcompany.com.

Some organizations would like to configure private Resources so they can be accessed without typing in the entire name, for example to use http://employeeportal instead of http://employeeportal.yourcompany.com. This is possible in Twingate with a bit of extra configuration.

1. Define the Resources in Twingate

First, you must define the unqualified domain name that you wish to use as a Resource inside of the Admin Console. You should add this as a separate Resource, in addition to the FQDN, not instead of.

Specify both the unqualified name and the FQDN to prevent connection errors

For example, create Resources for both employeeportal and employeeportal.yourcompany.com.

Why do we need the unqualified name as a separate Resource?

Twingate leverages split-tunneling: this means the Twingate Client needs to intercept only network traffic meant for Twingate Resources.

If you do not add the unqualified name as a Resource, the Client has no way to know that network traffic bound to the unqualified name needs to be intercepted by Twingate.

2. Set the search domain on the Connector

The Connector will use whatever search domains are set on the machine the Connector is running on. You should not need to restart the Connector for these changes to take effect.

AWS ECS

This can be found under Network Settings in the Advanced Container Configuration section when you add or edit a container instance.

Docker (non-ECS)

When deploying a new Twingate Connector, prior to running the automatically generated script, insert the following line prior to --restart=unless-stopped, replacing yoursearchdomain.com with the applicable domain(s) from step 2, above.

--dns-search yoursearchdomain.com

Ubuntu

Edit the file /etc/systemd/resolved.conf and add the domain on the DOMAINS= line, for example DOMAINS=yourcompany.com.
Run sudo systemctl restart systemd-resolved.

CentOS and Fedora

Run nmcli dev status to list your current Connections. Find the Connection that you use for Internet access.
Run sudo nmcli con mod "YOUR CONNECTION NAME" ipv4.dns-search "yourcompany.com", replacing YOUR CONNECTION NAME with the actual name of the Connection (not the Device!) from step #1, and yourcoompany.com with your search domain. Do not remove the quotation marks from the command.
Run sudo systemctl restart NetworkManager

Troubleshooting & Notes

If unqualified domain connections are not working correctly, use the following as a debugging checklist:

Log into the Connector (if running on a VM) and try to look up an unqualified domain, e.g., nslookup employeeportal. If it doesn’t resolve, it will not work through Twingate.
If that works, try the same lookup on a Client device. It should resolve to an IP in the 100.64.0.0-100.127.255.255 range, which Twingate uses for virtual IPs.

If the internal Resource is a webpage, sometimes web browsers will not recognize the unqualified domain as a domain name if it is entered into the browser and will interpret it incorrectly as a search term. To force the browser to treat it as a domain name, you can explicitly type in the address, e.g., http://employeeportal in the browser. After that, often the browser will “remember” from its history next time and you won’t have to do it again.

Last updated 2 years ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

How NAT Traversal Works

Encryption in Twingate

API

Getting Started with the API

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Best Practices

Updating Connectors

Advanced Connector Management

Resources

Remote Networks

Aliases

Usage-based Auto-lock

Ephemeral Access

Team

Users

Groups

Identity Providers

Security Policies

Policy Guides

Two-Factor Authentication

Devices

Client Application

Managed Devices

Device Administration

Services

Headless Clients

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Network Traffic

User Activity

Syncing Data to AWS S3

Internet Security

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Exit Networks

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Cancel Your Subscription

additional resources

Help Center ↗

Changelog

FAQ

Twingate Trust Center

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating