How DNS Works with Twingate

Twingate is not a VPN, and instead uses a transparent proxy system to connect users to private Resources. By taking this approach, user devices never join your private network and also require neither direct routing nor private DNS resolver access to complete network connections. This allows you to simultaneously achieve a much stronger default security posture and a much-improved end user experience. Users can only access Resources that they have explicitly been granted access to, and Resource addresses are shielded from public inspection.

The step-by-step example flow and diagram below explains how users can access private DNS addresses without having access to the private DNS resolver. (Note that the same flow applies for Resources with public DNS entries: resolution will still pass through the configured Connector on your private network, overriding the public DNS lookup route directly from the user's device.)

DNS Resolution Flow with Twingate

  1. An application on the client device sends a DNS request for a private Resource to the operating system, which is intercepted by the Twingate Client application. The Twingate Client app runs a DNS resolver for this purpose.
  2. The Twingate Client's DNS resolver responds with an IP address uniquely assigned to the Resource. Note that this assigned IP address is not related to the actual private IP of the Resource in question. IP addresses are assigned from the shared CGNAT range so as not to conflict with any local or configured network ranges.
  3. The application on the user's device initiates communication with the Twingate-assigned IP address and the Client acts as a transparent proxy, forwarding traffic to the appropriate Twingate Connector. The Twingate Client keeps a mapping between assigned IPs and Resources, with the effect being that local applications see DNS resolution for Twingate-defined private DNS entries.
  4. The Connector, upon receiving the connection request, sends a DNS request to the network's private DNS server. As long as the Connector is able to resolve the DNS resource you have defined in Twingate and route traffic to the destination, the connection to the private Resource will succeed.
  5. The private DNS server responds with the private IP address of the Resource in question. This allows traffic to be routed to the destination host. The destination host's IP address is not revealed to the Client or application as it sits behind the transparent proxy connection that Twingate has established.
  6. Finally, the Connector initiates communication with the requested Resource's private IP, proxying traffic from the application on the user's device. This completes the end-to-end connection.

Did this page help you?