managing twingate

Quick Start

Automated Deployment

Connectors

Resources

Remote Networks

Best Practices

JIT Access Requests

Usage-based Auto-lock

Ephemeral Access

Resource Tags

Aliases

Kubernetes

Route Traffic from Kubernetes

Manage Kubernetes using kubectl

Private Resources in Kubernetes

Publicly Exposed Resources in Kubernetes

Privileged Access for Kubernetes

Team

Users

Admins

How to Offboard Users

Social Logins

Groups

Identity Providers

Entra ID Configuration

Google Workspace Configuration

JumpCloud Configuration

Keycloak Configuration

Okta Configuration

OneLogin Configuration

SCIM Provisioning API

Security Policies

Location requirements via geoblocking

Security Policies: Migration Guide

Policy Guides

Authentication

Device-only Resource Policies

Trusted Devices

Two-Factor Authentication

Devices

Client Application

Endpoint Requirements

Using Twingate

Managed Devices

Windows Client Migration to .NET 8

macOS & iOS

macOS standalone Client

Windows Managed Devices

Device Administration

1Password XAM Configuration

CrowdStrike Configuration

Device Security Posture Checks

Device Security Guide

Intune Configuration

Jamf Configuration

Kandji Configuration

Linux device ID migration

Manually Verified Devices

SentinelOne Configuration

Services

Headless Clients

Linux Headless Mode

Windows Headless Mode

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Admin Console Export

Audit Logs Schema

Network Traffic

Detailed Network Event Schemas

Network Events Admin Console Export

User Activity

Device Report

Syncing Data to AWS S3

Internet Security

Browser Security

NextDNS Integration

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Exit Networks

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Customer Network

MSP Billing

Cancel Your Subscription

Notifications

Troubleshooting

Device Failures

DNS Failures

Connector Failures

Firewall Failures

Split Tunnel Failures

additional resources

Help Center ↗

Need help?

Troubleshooting

Changelog

FAQ

Twingate Trust Center

Twingate & Customer Data

DORA Compliance

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

DNS Failures

How to Troubleshoot User DNS Issues

DNS Resolution Problems

A cornerstone of Twingate’s functionality is its handling of DNS. The Client intercepts DNS queries for protected Resources and securely forwards them to a Connector, which resolves the name using your internal DNS servers. A failure in this process means the user’s application never gets the correct IP address to connect to.

Common Symptoms:

A user is connected to Twingate, but when they try to access an internal web application, they get a browser error like DNS_PROBE_FINISHED_NXDOMAIN or “This site can’t be reached.”
A desktop or mobile application fails to connect, with logs showing errors like “host not found” or “cannot resolve hostname.”
In the Twingate Admin Console, the Activity report for the Resource shows events with a “DNS lookup error” status.

How to Identify and Troubleshoot:

Test DNS Resolution on the Client device: Use standard command-line tools on the user’s device to see how DNS is behaving.
- Open a command prompt or terminal and run nslookup <resource_fqdn> (e.g., nslookup jira.mycompany.internal).
- Correct Behavior: If the Twingate Client is correctly intercepting the request, the command should return an IP address from the Carrier-Grade NAT (CGNAT) range: 100.96.0.0/12. This is a virtual IP address that Twingate uses internally and it confirms that the Client has identified the destination as a protected Resource. (See our guide on How DNS Works with Twingate for more information.)
- Incorrect Behavior: If the command times out, returns a public IP address, or returns an error, it means the Client is not intercepting the request. This could be because the Resource isn’t defined correctly in the Admin Console, the logged-in user isn’t a member of a Group with access to the Resource, or the Client itself is having an issue.
Check for CGNAT IP Address Conflicts: This is a critical and often overlooked issue. Twingate reserves the 100.96.0.0/12 IP address range for its internal operations. If the user’s local network or their ISP uses this same range for device IP addresses or DNS servers, it will cause a conflict.
- Diagnosis: On the user’s machine, check their network configuration. On Windows, run ipconfig /all. On macOS, run scutil --dns. Look at the assigned IP addresses and, most importantly, the DNS server addresses. If any of these—except the Twingate adapter—fall within the 100.96.0.0 to 100.127.255.255 range, there is a conflict.
- Resolution: The simplest fix is to have the user manually configure their device’s DNS settings to use a public DNS provider that is outside the conflicting range, such as Google DNS (8.8.8.8, 8.8.4.4) or Quad9 (9.9.9.9).
Check DNS Resolution on the Connector Host: If the Admin Console’s Activity report explicitly shows a “DNS lookup error,” the problem isn’t on the Client’s end. It means the Client successfully sent the request to the Connector, but the Connector itself couldn’t resolve the name.
- Diagnosis: Log in to the server or container host where the Connector is deployed. From that machine’s command line, run nslookup <resource_fqdn> or dig <resource_fqdn>.
- Resolution: If the command fails on the Connector host, it confirms a local DNS issue. You must resolve the DNS configuration on that host. This might involve editing /etc/resolv.conf on Linux, checking VPC DNS settings in your cloud provider, or ensuring the host has a network path to your internal DNS servers. This is why it’s a best practice to shut down all but one Connector when troubleshooting - it isolates the problem to a single host machine.
Check for Multiple Active Network Interfaces: On some operating systems, particularly Windows and Linux, having both a wired (Ethernet) and wireless (Wi-Fi) connection active on the same subnet can lead to unpredictable routing and DNS behavior.
- Resolution: The most reliable fix is to ensure network interface card (NIC) drivers are up to date, especially for Realtek chipsets. As a workaround, advise the user to disconnect from one of the interfaces (e.g., unplug the Ethernet cable or turn off Wi-Fi) so that only one is active.

If DNS is resolving correctly to a 100.x.x.x address on the Client, but the connection still fails, the issue lies further down the path with the Connector or the network route to it.

Last updated 2 months ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

Introduction to DNS

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

How NAT Traversal Works

How to troubleshoot peer-to-peer connections

Encryption in Twingate

API

Getting Started with the API

Exploring the APIs

Introduction to tg CLI (JavaScript)

Introduction to the Python CLI

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Connector Best Practices

Aptible

How to Deploy a Connector on AWS

How to Deploy a Connector on Azure

How to Deploy a Connector on Linux

How to Deploy a Connector on GCP

K8s Helm Chart

Managed Connectors

Updating Connectors

How to Upgrade Connectors Running in AWS/Azure/Docker Containers

K8s Helm Chart Upgrades

Systemd Service Upgrades

Advanced Connector Management

Connector Details

Connector Health Checks

Connector Metadata

Real-time Connection Logs

Deployment Automation

Supporting Unqualified Domain Names