Skip to content

DNS

DNS Names configured for Assets or Virtual Assets are automatically assigned and work without further action. However, you also have the option of provide one or more DNS servers for certain domains. This is achieved through split DNS, where only requests for the configured domains are sent to the corresponding DNS servers. All other DNS requests are still sent to the default DNS server. Common use cases for such a split DNS setup include Domain Joined networks with an on-premises Active Directory and Subnets in general.

Split DNS

On the Account -> Settings page, you can configure one or more DNS servers, along with the domains they serve. Assets and Virtual Assets can be configured as DNS servers. All agents that can reach this Asset/Virtual Asset via a Policy will configure a split DNS rule for the specified domains.

Troubleshooting

On MS Windows, you can check whether the split DNS rule is configured correctly after connecting with the xtna-agent by running the following command in PowerShell: 

Get-DNSClientNrptPolicy

This should print multiple lines, one of which is a NameServers entry pointing to the tunnel IP of the configured DNS server. There should also be a NameEncoding entry pointing the selected domain. If the output of this command is empty, split DNS is not working properly. If this is the case, there might be a leftover registry path, probably introduced by an old Group Policy that is no longer in use. You can check this by verifying in the registry if the directory: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig exists. If it does, the XplicitTrust Agent will simply insert the split DNS rules below this directory. However, if this directory is otherwise empty and also the directory above only contains DnsPolicyConfig, MS Windows will not consider this directory or the other directory where the split DNS rules are stored. Therefore, if these two directories are empty after disconnecting the xtna-agent and stopping the xtService in Task Manager, you can remove them, then start the xtService, start the xtna-agent and connect. Use the PowerShell command above to double-check that the split DNS rules are now properly detected. This issue could reoccur if the aforementioned registry path originates from an Group Policy. In this case, you should verify which Group Policy creates it and remove the registry path.