DNS trouble - cannot resolve FQDN

Hi.

First, I have to say how easy this setup was. Almost too easy, so easy it makes you wonder :slight_smile:

But I’m having trouble connecting to my network devices using FQDN.
I can connect just fine using ip adresses, but not using DNS names.
I’m running my own (Windows) dns server
I can ping it and connect to it, but cannot get it to resolve dns through Twingate
When I try to use nslookup directly against the server the dns request just times out.

I’m running the Twingate connector on premise as a docker container.

Any tips?

Thanks

Hi Dal,

DNS will behave a little differently than you may expect when Twingate is involved.

There’s a good guide on the principles here: How DNS Works with Twingate

TL;DR The way DNS queries work when you run an nslookup is a bit strange:

Assumptions for this example:
a. You have your DNS set to your Windows DNS server prior to installing to Twingate (lets call it 192.168.1.1)
b. google.com is NOT defined as a resource wtihin your Twingate Admin Panel
c. internalresource.com is defined as a resource within your Twingate Admin Panel

NSLookup of a NON Twingate Resource:

  1. You do the nslookup (nslookup google.com)
  2. You’ll see that the NSLookup is going against a 100.x.x.x server, rather than your expected 192.168.1.1 DNS server.
  3. The Twingate client will check its internal resource list, and determines that google.com is not a Twingate protected resource
  4. Unseen to you, Twingate will forward that request over to the original DNS Server for your machine (192.168.1.1)
  5. When that server responds, it will then return the answer it gets.

NSLookup of a Twingate Resource:

  1. You do the nslookup (nslookup google.com)
  2. You’ll see that the NSLookup is going against a 100.x.x.x server, rather than your expected 192.168.1.1 DNS server.
  3. The Twingate client will check its internal resource list, and determines that google.com is a Twingate protected resource
  4. Unseen to you, Twingate will determine what the CGNAT IP from our network corresponds to your resource
  5. Twingate will return that CGNAT IP to the device making the request.

So given this, in a “normal” situation, your lookups should work as expected assuming:

a. The DNS Server is reachable from your machine
b. The DNS Server was defined as your DHCP/Default DNS server prior to connecting to Twingate.

Can you tell me a little bit more about the configuration of your network and the nature of the lookups you’re doing? Are the FQDN’s you’re trying to resolve defined as Twingate resources or not?

I’m sure we can get this sorted out for you!

Thanks for your time and patience as we get this resolved.

-arthur

I run Active Directory at home (don’t ask) complete with my own DNS servers.
Resources that are meant to be reached only from the inside are defined there.
Resources that can be reached from both outside and inside are defined with an external domain registrar as well.
Therefore I use a completely different DNS server when at work (where I have installed my Twingate Windows Client) and when at home.

Maybe I have misunderstood something here.
In my Twingate Network, under Resources, I just added my /24 home network in CIDR format
And that works when connecting using IP addresses only, but no DNS resolving is happening.
Is there another way go get access to the whole network at once, or must each resource be defined granually?
Can I add several resources?

Thanks

Hmm, it seems that it’s all my fault
When adding the DNS resource (*.domainname.com) I forgot to press the Add Access button.
As soon as I did that, it seems to work no matter what DNS entry I try to access.

Thanks

2 Likes

Don’t worry, if I tried to add up all the “Whoops, durr!” moments in my tech life, I would need a very complicated spreadsheet.

Glad to hear it’s working now!

Have a terrific week!

1 Like