DNS Troubleshooting
- Updated on May 16, 2024
- 7 minutes to read
DNS Troubleshooting Lookup
| Private Edge with ITP Disabled | |
|---|---|
| No Domains Excluded | Resolved at the Access Tier |
| Excluded Domains | Resolved at the client device’s local primary DNS server |
| Private Edge with ITP Enabled | |
|---|---|
| No Domains Excluded | Resolved at the Access Tier |
| Excluded Domains (outside of Service Tunnel) | Resolved through DNS Filter (ITP) servers |
| Local Domains (outside of Service Tunnel) | Resolved at the client device’s local primary DNS server |
| Full Tunnel without ITP Enabled | |
|---|---|
| No Domains Excluded | Resolved at the DNS server specified in the Service Tunnel spec |
| Excluded Domains (outside of Service Tunnel) | Resolved at the client device’s local primary DNS server |
| Full Tunnel with ITP Enabled | |
|---|---|
| No Domains Excluded | Resolved at the DNS server specified in the Service Tunnel spec; ITP will not be effective. |
| Excluded Domains (outside of Service Tunnel) | Resolved at DNS Filter servers; ITP filtering will be effective. |
DNS Scenarios
| Private Edge with ITP Disabled | |
|---|---|
| Use Case | Where does DNS inspection happen? |
| Private Domains | DNS resolution takes place at the access-tier tunnel endpoint |
| Included Domains (resources which are accessible through Service Tunnel and may not be behind an Access Tier; the expectation is that traffic will reach the destination through the Service Tunnel) | DNS resolution takes place at the access-tier tunnel endpoint. Note: WireGuard Service configures routes for resolved IPs via the Service Tunnel |
| Excluded Domains (resources are accessed outside the Service Tunnel) | DNS resolution takes place at the client’s primary DNS server. Note: WireGuard Service configures routes for resolved IPs via the default gateway. |
| Private Edge with ITP Enabled | |
|---|---|
| Use Case | Where does DNS inspection happen? |
| Private Domains (resources behind Access Tier) | DNS resolution takes place at the access-tier tunnel endpoint; DNS filtering will not be effective |
| Included Domains (resources which are accessible through Service Tunnel and may not be behind an Access Tier; the expectation is that traffic will reach the destination through Service Tunnel) | DNS resolution takes place at the access-tier tunnel endpoint. Note: WireGuard Service configures routes for resolved IPs via included domains through the Service Tunnel; ITP filtering will not be effective |
| Excluded Domains (resources are accessed outside the Service Tunnel) | DNS resolution takes place at the client’s primary DNS server. Note: WireGuard Service configures routes for resolved IPs via the default gateway; ITP filtering will be effective |
Local domain is the local network domain like .local/.lan where printers/fileservers in the local network are connected |
DNS resolution takes place at the local primary DNS servers. ITP filtering will not be effective. Note: local domains are detected automatically by interface DHCP configuration |
| Full Tunnel without ITP enabled | |
|---|---|
| Use Case | Where does DNS inspection happen? |
| No Domains Excluded | DNS resolution takes place at the DNS server specified in the Service Tunnel spec (which is supposed to be behind the Access Tier |
| Excluded Domains (resources are accessed outside the Service Tunnel) | DNS resolution takes place at the local DNS servers. Note: WireGuard Service configures routes for resolved IPs via the default gateway. |
| Full Tunnel with ITP enabled | |
|---|---|
| Use Case | Where does DNS inspection happen? |
| No Domains Excluded | DNS resolution takes place at the DNS server specified in the Service Tunnel spec (which is supposed to be behind the Access Tier |
| Excluded Domains (resources are accessed outside the Service Tunnel) | DNS resolution takes place at the DNS filter servers. Note: WireGuard Service configures routes for the resolved IPs via the default gateway; ITP filtering will be effective |