DNS Troubleshooting

Troubleshooting domain resolution when DNS-layer security is applied

  • Updated on Jun 29, 2023
  • 7 minutes to read
  • Contributors
This article describes features that are only available in the Banyan Unlimited edition.

DNS Resolution Overview

Banyan applies Internet Threat Protection (ITP) policies to devices, which protects them from internet resources that are not maintained by a trusted organization. Depending on how a device is configured (i.e., whether it has an ITP policy associated with it), there are several different DNS resolution paths.

DNS resolution can happen through Banyan’s components, the device’s default DNS resolver, or Banyan’s Global DNS service. Banyan’s Global DNS service works on two different IP addresses, which resolve or block any DNS requests received in accordance with the ITP policy applied.

DNS Resolution via Banyan’s Global DNS Service

When the DNS request resolves via Banyan’s Global DNS Service, the domain the end user is trying to resolve matches to an ITP Policy. Banyan’s Global DNS Service will verify whether the DNS request is trying to resolve an allowed or a blocked domain, and it will fail or resolve the request accordingly. Failed requests are returned a 301 Redirect on the configured block page.

DNS Resolution via Banyan’s Access Tier or the Connector

When the DNS request resolves to the Access Tier or the Connector, the domain the end user is trying to resolve matches to a private domain specified in either the org’s Access Tier or Connector configuration.

DNS Resolution via Banyan’s Access Tier

When the DNS request resolves to the Access Tier, the domain the end user is trying to resolve matches to a public domain specified in either the org’s Access Tier or Connector configuration. In this case, the request is only resolved at the Access Tier because no Connector is required for routing traffic to a public domain. If the org is using Banyan’s Global Edge, then the DNS request will be resolved via the Global Edge.

DNS Resolution via default resolver

When the DNS request is resolved using the device’s default resolver, the domain the end user is trying to resolve does not match any configured Service Tunnel or ITP policy domains in the org. Alternatively, if the domain matches a local domain on the device’s LAN, it will resolve via the default resolver, even if the domain matches an ITP policy or a Service Tunnel.

Can’t find what you’re looking for?

We’re happy to help. Contact our team.