DNS Troubleshooting Lookup
| Private Edge with ITP Disabled |
|
| No Domains Excluded |
Resolved at the Access Tier |
| Excluded Domains |
Resolved at the client device’s local primary DNS server |
| Private Edge with ITP Enabled |
|
| No Domains Excluded |
Resolved at the Access Tier |
| Excluded Domains (outside of Service Tunnel) |
Resolved through DNS Filter (ITP) servers |
| Local Domains (outside of Service Tunnel) |
Resolved at the client device’s local primary DNS server |
| Full Tunnel without ITP Enabled |
|
| No Domains Excluded |
Resolved at the DNS server specified in the Service Tunnel spec |
| Excluded Domains (outside of Service Tunnel) |
Resolved at the client device’s local primary DNS server |
| Full Tunnel with ITP Enabled |
|
| No Domains Excluded |
Resolved at the DNS server specified in the Service Tunnel spec; ITP will not be effective. |
| Excluded Domains (outside of Service Tunnel) |
Resolved at DNS Filter servers; ITP filtering will be effective. |
DNS Scenarios
| Private Edge with ITP Disabled |
|
| Use Case |
Where does DNS inspection happen? |
| Private Domains |
DNS resolution takes place at the access-tier tunnel endpoint |
| Included Domains (resources which are accessible through Service Tunnel and may not be behind an Access Tier; the expectation is that traffic will reach the destination through the Service Tunnel) |
DNS resolution takes place at the access-tier tunnel endpoint. Note: WireGuard Service configures routes for resolved IPs via the Service Tunnel |
| Excluded Domains (resources are accessed outside the Service Tunnel) |
DNS resolution takes place at the client’s primary DNS server. Note: WireGuard Service configures routes for resolved IPs via the default gateway. |
| Private Edge with ITP Enabled |
|
| Use Case |
Where does DNS inspection happen? |
| Private Domains (resources behind Access Tier) |
DNS resolution takes place at the access-tier tunnel endpoint; DNS filtering will not be effective |
| Included Domains (resources which are accessible through Service Tunnel and may not be behind an Access Tier; the expectation is that traffic will reach the destination through Service Tunnel) |
DNS resolution takes place at the access-tier tunnel endpoint. Note: WireGuard Service configures routes for resolved IPs via included domains through the Service Tunnel; ITP filtering will not be effective |
| Excluded Domains (resources are accessed outside the Service Tunnel) |
DNS resolution takes place at the client’s primary DNS server. Note: WireGuard Service configures routes for resolved IPs via the default gateway; ITP filtering will be effective |
Local domain is the local network domain like .local/.lan where printers/fileservers in the local network are connected |
DNS resolution takes place at the local primary DNS servers. ITP filtering will not be effective. Note: local domains are detected automatically by interface DHCP configuration |
| Full Tunnel without ITP enabled |
|
| Use Case |
Where does DNS inspection happen? |
| No Domains Excluded |
DNS resolution takes place at the DNS server specified in the Service Tunnel spec (which is supposed to be behind the Access Tier |
| Excluded Domains (resources are accessed outside the Service Tunnel) |
DNS resolution takes place at the local DNS servers. Note: WireGuard Service configures routes for resolved IPs via the default gateway. |
| Full Tunnel with ITP enabled |
|
| Use Case |
Where does DNS inspection happen? |
| No Domains Excluded |
DNS resolution takes place at the DNS server specified in the Service Tunnel spec (which is supposed to be behind the Access Tier |
| Excluded Domains (resources are accessed outside the Service Tunnel) |
DNS resolution takes place at the DNS filter servers. Note: WireGuard Service configures routes for the resolved IPs via the default gateway; ITP filtering will be effective |
Can’t find what you’re looking for?
We’re happy to help. Contact our team.