Private DNS: Best Practices

While it is not a requirement, Twingate recommends that your network be configured with Resources accessible via private DNS exclusively because it offers several advantages over using** IPs** or Public DNS:

  • Public DNS entries for private Resources (on the private network) creates a potential leak of information that could be leveraged by attackers and is altogether unnecessary.
  • Accessing Resources by IP address can be error-prone and not user-friendly for End Users.
  • It is possible to encounter IP overlap (ex: being used for 2 separate resources on 2 separate subnets). Using DNS names instead of IPs removes the ambiguity and allows you to connect to both Resources, even if they are assigned the same private IP.

Setup and Structure

Thinking a bit about your DNS structure before deploying will pay off in the end.

For example, it can be very useful to define DNS zones that map to permissions or roles you’d like to configure in Twingate.

To do this, let’s define the following DNS zone: with all engineering systems under it:

host1, host2 and host3 are all part of the DNS zone and can be resolved at host[n]

With this in mind, you can simply create a single Twingate Resource pointing to the DNS Zone:

And we can now map this Resource to a Twingate Group for Engineering:

What You Need To Know About Resource and Connector Placement

Alternatively, there is an option to use a custom DNS server for the Connector, but it can make configuration a bit more difficult, therefore we recommend leveraging whatever DNS servers are configured on the Connector host.

Last updated 7 months ago