By default, Twingate will only enable connections to fully qualified domain names or FQDNs. A fully qualified domain name specifies all domain levels, for example,
employeeportal.yourcompany.com. Some organizations would like to configure private Resources so they can be accessed without typing in the entire name, for example to use
http://employeeportal instead of
http://employeeportal.yourcompany.com. This is possible in Twingate with a bit of extra configuration.
1. Define the Resources in Twingate
First, you must define the unqualified domain name that you wish to use as a Resource inside of the Admin Console. You should add this as a separate Resource, in addition to the FQDN, not instead of. Not specifying both the unqualified name and the FQDN will result in connection errors. For example, create Resources for
2. Set the search domain on the Connector
The Connector will use whatever search domains are set on the machine the Connector is running on. You should not need to restart the Connector for these changes to take effect.
For AWS ECS, this can be found under Network Settings in the Advanced Container Configuration section when you add or edit a container instance
- Edit the file
/etc/systemd/resolved.confand add the domain on the
DOMAINS=line, for example
sudo systemctl restart systemd-resolved.
For CentOS and Fedora
nmcli dev statusto list your current Connections. Find the Connection that you use for Internet access.
sudo nmcli con mod "YOUR CONNECTION NAME" ipv4.dns-search "yourcompany.com", replacing
YOUR CONNECTION NAMEwith the actual name of the Connection (not the Device!) from step #1, and
yourcoompany.comwith your search domain. Do not remove the quotation marks from the command.
sudo systemctl restart NetworkManager
If unqualified domain connections are not working correctly, use the following as a debugging checklist:
- Log into the Connector (if running on a VM) and try to look up an unqualified domain, e.g.,
nslookup employeeportal. If it doesn't resolve, it will not work through Twingate.
- If that works, try the same lookup on a client. It should resolve to an IP in the
100.64.0.0-100.127.255.255range, which Twingate uses for virtual IPs.
If the internal Resource is a webpage, sometimes web browsers will not recognize the unqualified domain as a domain name if it is entered into the browser and will interpret it incorrectly as a search term. To force the browser to treat it as a domain name, you can explicitly type in the address, e.g.,
http://employeeportal in the browser. After that, often the browser will "remember" from its history next time and you won't have to do it again.
Updated 4 months ago