Supporting Unqualified Domain Names

By default, Twingate will only enable connections to fully qualified domain names or FQDNs. A fully qualified domain name specifies all domain levels, for example,

Some organizations would like to configure private Resources so they can be accessed without typing in the entire name, for example to use http://employeeportal instead of This is possible in Twingate with a bit of extra configuration.

1. Define the Resources in Twingate

First, you must define the unqualified domain name that you wish to use as a Resource inside of the Admin Console. You should add this as a separate Resource, in addition to the FQDN, not instead of.

2. Set the search domain on the Connector

The Connector will use whatever search domains are set on the machine the Connector is running on. You should not need to restart the Connector for these changes to take effect.


This can be found under Network Settings in the Advanced Container Configuration section when you add or edit a container instance.

Docker (non-ECS)

When deploying a new Twingate Connector, prior to running the automatically generated script, insert the following line prior to --restart=unless-stopped, replacing with the applicable domain(s) from step 2, above.



  • Edit the file /etc/systemd/resolved.conf and add the domain on the DOMAINS= line, for example
  • Run sudo systemctl restart systemd-resolved.

CentOS and Fedora

  • Run nmcli dev status to list your current Connections. Find the Connection that you use for Internet access.
  • Run sudo nmcli con mod "YOUR CONNECTION NAME" ipv4.dns-search "", replacing YOUR CONNECTION NAME with the actual name of the Connection (not the Device!) from step #1, and with your search domain. Do not remove the quotation marks from the command.
  • Run sudo systemctl restart NetworkManager

Troubleshooting & Notes

If unqualified domain connections are not working correctly, use the following as a debugging checklist:

  • Log into the Connector (if running on a VM) and try to look up an unqualified domain, e.g., nslookup employeeportal. If it doesn’t resolve, it will not work through Twingate.
  • If that works, try the same lookup on a Client device. It should resolve to an IP in the range, which Twingate uses for virtual IPs.

If the internal Resource is a webpage, sometimes web browsers will not recognize the unqualified domain as a domain name if it is entered into the browser and will interpret it incorrectly as a search term. To force the browser to treat it as a domain name, you can explicitly type in the address, e.g., http://employeeportal in the browser. After that, often the browser will “remember” from its history next time and you won’t have to do it again.

Last updated 2 years ago