Is there a way to use the on prem DNS server I have hosted?
It seems I can only get dns traffic to go by the HTTPS options.
hi @Smmw,
Yes, your on prem DNS can be used: here is how DNS works in Twingate: How DNS Works with Twingate | Docs
The gist of it is that your Connectors should be configured to resolve using your on-prem DNS first. The actual resolution of FQDN-style Resources is done Connector side.
I think I understand.
So without any configuration it already uses the on prem DNS server?
But its only using it for local names? So if i were to block say facebook.com on my local DNS server, it would still be accessible?
My use case being to have a on prem DNS with the twingate connector working as a constant site connection to enforce DNS block/allow lists, and if possible to show the IP of the hosts making the requests.
Much like the NextDNS integration just with my own server.
Thanks!
there is 2 separate resolutions: one on the client side and one on the Connector side.
The Twingate Client inserts itself as the first DNS resolver on the device that runs it, which means it intercepts all DNS traffic by default: if the DNS traffic is for a private Resource that exists in Twingate (and is rightfully accessible by the user logged on to the Client) then the Twingate Resolver responds with an arbitrary CGNAT IP with the sole purpose of allowing the Twingate Network adapter to handle that traffic. If the traffic does not match a Twingate Resource, Twingate passes the request to the second resolver on the OS (which is determined by the system usually). In this case, even if the connector cannot resolve facebook.com, the user will still have access to it.
what do you use as a private DNS solution? depending on that, there might be a way to force all DNS requests to it.
oh sorry, you did mention AdGuard. Do you know if there is a way to configure it as a DoH resolver? If so, you could add that in the Twingate Admin Console to allow all Twingate Clients to either intercept DNS queries for private Resources or pass them to Adguard for resolution although you would lose the metadata of which client did what, I thinkā¦