Private domains failing to resolve in SIA-only orgs
End users' requests timing out when attempting to access private domains
Overview
End users in SIA-only orgs (i.e., not orgs with SIA and SPA licensing) are unable to access private domains.
Symptoms
- End users receive a timeout error (e.g.,
DNS_PROBE_FINISHED_NXDOMAIN
) when attempting to access a private domain.
Potential Root Cause(s)
- The swg (Secure Web Gateway) agent is agnostic to the domain type (i.e., it doesn’t distinguish between internet domains and private domains); therefore, when end users request a private domain, the DNS server associated with the SWG agent is unable to resolve the DNS request, because it doesn’t recognize the private domain and can’t associate it to a public IP address.
Resolution Steps
Add a domain bypass for each of your org’s private domains:
-
In the Cloud Secure Edge Command Center, navigate from Internet Access > Internet Threat Protection, and select the relevant ITP policy.
-
Select the Edit icon (i.e., the pencil icon), and under the Blocking and Bypass tab, go to the Domain Bypass toggle.
-
Enter the private domain(s) that you want to bypass Blocking.
