Skip to main content

Access Server and DNS Configuration Guide

Abstract

DNS configuration options for Access Server include pushing specific DNS servers to clients and creating a split-DNS setup.

This page provides information about the Domain Name System (DNS) and Access Server.

How DNS works

The Domain Name System (DNS) maps domain names to IP addresses using name resolution services. When you enter a domain name in a browser, DNS translates it to an IP address to connect you to the correct destination.

DNS and Access Server

You can configure DNS for clients that connect to your Access Server. Access Server can have clients use the same DNS servers as the Access Server host, push specific DNS servers for clients, or not alter clients' DNS servers.

You can set these options in the Admin Web UI on the Internet Access and DNS tab under Access Controls.

You can also alter DNS resolution zones and default domain suffix settings on the Interet Access and DNS page. DNS resolution zones allow you to configure a split-DNS setup, defining DNS zones that resolve to DNS servers pushed from Access Server.

An optional, Windows-OS-specific setting is the DNS domain suffix because Windows clients might only use the first domain provided in DNS resolution zones.

For more, refer to the user manual's Access Controls.

Domain Routing via DNS

Access Server 3.1.0 introduces built-in domain-based routing using a DNS engine. This allows you to route traffic by domain name without redirecting all traffic or maintaining large lists of IP addresses for content delivery networks (CDNs).

Here's how it works:

  • VPN clients use the Access Server's internal DNS engine.

  • Specific domains are resolved to private IPs reserved for routing through the VPN tunnel.

  • Access Server NATs traffic destined for the actual destination using nftables.

  • You can define domains to route (or exclude from routing) on a global, group, or per-user basis.

Important

  • This feature helps control access to SaaS services like salesforce.com without full-tunnel routing.

  • The NAT implementation for domain routing is based on nftables, which is the preferred firewall engine. iptables is no longer recommended and may be deprecated.

Configuration Notes

  • The DNS engine listens on the VPN gateway's IP address (e.g., the first IP address in the VPN subnet) on port 53.

  • You can configure:

    • The private IP range for routed domains.

    • Custom upstream DNS resolvers.

    • Routed domains (include/exclude lists) per user/group.

  • Changing domain settings typically requires reconnecting affected users.

In this section: