Supporting Unqualified Domain Names

By default, Twingate will only enable connections to fully qualified domain names or FQDNs. A fully qualified domain name specifies all domain levels, for example,

Some organizations would like to configure private Resources so they can be accessed without typing in the entire name, for example to use http://employeeportal instead of This is possible in Twingate with a bit of extra configuration.

1. Define the Resources in Twingate

First, you must define the unqualified domain name that you wish to use as a Resource inside of the Admin Console. You should add this as a separate Resource, in addition to the FQDN, not instead of.

Note: Not specifying both the unqualified name and the FQDN will result in connection errors. For example, create Resources for both employeeportal and


Why do we need the unqualified name as a separate Resource?

Twingate leverages split-tunneling: this means the Twingate Client needs to intercept only network traffic meant for Twingate Resources.

If you do not add the unqualified name as a Resource, the Client has no way to know that network traffic bound to the unqualified name needs to be intercepted by Twingate.

2. Set the search domain on the Connector

The Connector will use whatever search domains are set on the machine the Connector is running on. You should not need to restart the Connector for these changes to take effect.

For AWS ECS, this can be found under Network Settings in the Advanced Container Configuration section when you add or edit a container instance

For Docker (non-ECS)
When deploying a new Twingate Connector, prior to running the automatically generated script, insert the following line prior to --restart=unless-stopped, replacing with the applicable domain(s) from step 2, above.


For Ubuntu

  1. Edit the file /etc/systemd/resolved.conf and add the domain on the DOMAINS= line, for example
  2. Run sudo systemctl restart systemd-resolved.

For CentOS and Fedora

  1. Run nmcli dev status to list your current Connections. Find the Connection that you use for Internet access.
  2. Run sudo nmcli con mod "YOUR CONNECTION NAME" ipv4.dns-search "", replacing YOUR CONNECTION NAME with the actual name of the Connection (not the Device!) from step #1, and with your search domain. Do not remove the quotation marks from the command.
  3. Run sudo systemctl restart NetworkManager

Troubleshooting & Notes

If unqualified domain connections are not working correctly, use the following as a debugging checklist:

  1. Log into the Connector (if running on a VM) and try to look up an unqualified domain, e.g., nslookup employeeportal. If it doesn't resolve, it will not work through Twingate.
  2. If that works, try the same lookup on a Client device. It should resolve to an IP in the range, which Twingate uses for virtual IPs.

If the internal Resource is a webpage, sometimes web browsers will not recognize the unqualified domain as a domain name if it is entered into the browser and will interpret it incorrectly as a search term. To force the browser to treat it as a domain name, you can explicitly type in the address, e.g., http://employeeportal in the browser. After that, often the browser will "remember" from its history next time and you won't have to do it again.

Did this page help you?