Private domains failing to resolve in SIA-only orgs

End users' requests timing out when attempting to access private domains

  • Updated on Oct 02, 2025
  • 2 minutes to read
  • Contributors

Overview

End users in SIA-only orgs (i.e., not orgs with SIA and SPA licensing) are unable to access private domains.

Symptoms

  • End users receive a timeout error (e.g.,DNS_PROBE_FINISHED_NXDOMAIN ) when attempting to access a private domain.

Potential Root Cause(s)

  • The swg (Secure Web Gateway) agent is agnostic to the domain type (i.e., it doesn’t distinguish between internet domains and private domains); therefore, when end users request a private domain, the DNS server associated with the SWG agent is unable to resolve the DNS request, because it doesn’t recognize the private domain and can’t associate it to a public IP address.

Resolution Steps

Add a domain bypass for each of your org’s private domains:

  1. In the Cloud Secure Edge Command Center, navigate from Internet Access > Internet Threat Protection, and select the relevant ITP policy.

  2. Select the Edit icon (i.e., the pencil icon), and under the Blocking and Bypass tab, go to the Domain Bypass toggle.

  3. Enter the private domain(s) that you want to bypass Blocking.