How Twingate forwards DNS

The Twingate Client locally resolves DNS requests for A records with an IP address in the 100.64.0.0/10 CGNAT range. The Client also modifies the local routing table to route traffic from part of this range (100.96/12) to route through the local Twingate network interface. Each Resource resolves to a CGNAT IP locally and all traffic for that Resource is handled by the Twingate network interface and proxied to the Connector.

The Client usually does not interfere with requests for DNS records other than A. In general, requests for other record types are forwarded to the Remote Network and resolved by the Connector, using the network’s private DNS server. For example, the TXT record for nas.home.int can be retrieved by querying for dig TXT nas.home.int:

mbp.local % dig TXT nas.home.int
; <<>> DiG 9.10.6 <<>> TXT nas.home.int
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1369
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;nas.home.int. IN TXT
;; ANSWER SECTION:
nas.home.int. 3600 IN TXT "Hello, I'm a TXT record used as a contrived documentation example."
;; Query time: 84 msec
;; SERVER: 100.95.0.251#53(100.95.0.251)
;; WHEN: Fri Dec 16 15:56:45 PST 2022
;; MSG SIZE rcvd: 226

When Twingate doesn’t forward DNS traffic

In general, DNS traffic will be forwarded to Remote Networks. However, this will not happen in cases where a DNS request is made for a Resource that has port 53/UDP blocked (the port that DNS uses). Instead, non-A requests will return an empty response since communication over port 53/UDP is blocked. For example, if nas.home.int has port 53/UDP blocked, dig TXT nas.home.int will return an empty response:

mbp.local % dig TXT nas.home.int
; <<>> DiG 9.10.6 <<>> TXT nas.home.int
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1369
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;nas.home.int. IN TXT
;; Query time: 48 msec
;; SERVER: 100.95.0.251#53(100.95.0.251)
;; WHEN: Fri Dec 16 15:58:59 PST 2022
;; MSG SIZE rcvd: 30

This behavior is a side effect of how Twingate port restrictions work. DNS traffic is sent over port 53/UDP, and DNS traffic with queries for nas.home.int is interpreted as traffic to nas.home.int. Twingate proxies TCP and UDP and avoids special-casing DNS traffic whenever possible. Since DNS uses port 53/UDP, Twingate treats it as UDP traffic to the Connector.

In general, most applications behave normally when non-A requests are blocked. In cases where blocked DNS requests lead to issues, workarounds are available.

How to explicitly forward DNS traffic

You can explicitly forward DNS traffic by specifying a private Resource as your DNS resolver. The Twingate Client will not interfere with traffic explicitly targeting a private Resource that is a DNS server.

For example, if 10.0.0.2 is both a DNS server and a private Resource, the command dig @10.0.0.2 nas.home.int will forward the request to the Remote Network and answer the request using the specified DNS server. Keep in mind this only works if port 53/UDP is allowed in the Twingate Resource configuration for your DNS resolver, as DNS traffic is limited by the Resource’s port restriction as explained above.

For example, if nas.home.int has port 53/UDP blocked, but the private DNS server 10.0.0.2 has port 53/UDP open, the following will work:

mbp.local % dig @10.0.0.2 TXT nas.home.int
; <<>> DiG 9.10.6 <<>> @10.0.0.2 TXT nas.home.int
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1369
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;nas.home.int. IN TXT
;; ANSWER SECTION:
nas.home.int. 3600 IN TXT "Hello, I'm a TXT record used as a contrived documentation example."
;; Query time: 84 msec
;; SERVER: 10.0.0.2#53(10.0.0.2)
;; WHEN: Fri Dec 16 15:56:45 PST 2022
;; MSG SIZE rcvd: 226

This behavior is true for any DNS traffic explicitly using a private Resource as its DNS server.

Example use cases

  • dig @dns-server A nas.home.int will return the “real” IP address for nas.home.int, not the CGNAT address assigned by the Twingate Client.
  • dig @dns-server TXT nas.home.int will return the TXT record for nas.home.int, even in cases where nas.home.int has port 53/UDP blocked.

Last updated 3 months ago