Best Practices for Configuring Private DNS with Twingate

While it is not a requirement, Twingate recommends that your network be configured so that Resources are accessible via private DNS exclusively because it offers several advantages over using IP addresses or public DNS:

  • Public DNS entries for private Resources (on the private network) creates a potential leak of information that could be leveraged by attackers and is unnecessary.
  • Accessing Resources by IP address can be error-prone and not user-friendly for end users.
  • It is possible to encounter IP overlap (e.g. being used for 2 separate Resources on 2 separate Networks). Using DNS names instead of IP addresses removes the ambiguity and allows you to connect to both Resources, even if they have been assigned the same private IP address.

Setup and Structure

Thinking about your DNS structure before deploying will pay off in the end.

For example, it can be very useful to define DNS zones that map to permissions or roles you’d like to configure in Twingate.

To do this, let’s define the following DNS zone: with all engineering systems under it:

host1, host2 and host3 are all part of the DNS zone and can be resolved at host[n]

With this in mind, you can simply create a single Twingate Resource pointing to the DNS Zone:

And we can now map this Resource to a Twingate Group for Engineering:

What You Need To Know About Resource and Connector Placement

Alternatively, there is an option to use a custom DNS server for the Connector, but it can make configuration a bit more difficult, therefore we recommend leveraging whatever DNS servers are configured on the Connector host.

Last updated 4 months ago