Private DNS
Private DNS lets VPN-connected clients resolve hostnames to internal services without exposing those services to the public internet. A CoreDNS instance runs on each edge device and answers queries for your tenant's private zone (e.g., *.acme.sl.internal). Records are populated automatically from connected devices and connectors, or added manually.
Navigate to Network > Private DNS in the sidebar.
Overview
The page header displays the active zone pattern for your tenant (e.g., *.acme.sl.internal). All three tabs share this zone.
| Tab | Purpose |
|---|---|
| DNS Records | View, create, and delete individual A records |
| Service Types | Define named service categories (protocol, port, URL scheme) |
| Settings | Configure the tenant DNS slug |
Clients running Tailscale alongside IKEv2 VPN will not automatically resolve private DNS names. Tailscale's Network Extension (NETunnelProviderManager) takes precedence over IKEv2's system VPN (NEVPNManager) for DNS on macOS and iOS, regardless of domain configuration.
Affected users must do one of the following:
- Configure Tailscale Split DNS to forward the private zone (e.g.,
sl.internal) to the edge DNS server. - Switch to WireGuard protocol, which uses a
NETunnelProviderManagerextension and is not overridden by Tailscale. - Disable Tailscale while connected to the SD-WAN.
Direct queries (e.g., dig @<gateway-ip>) are unaffected.
DNS Records Tab
The records table lists all A records registered in the tenant's private zone.
Table Columns
| Column | Description |
|---|---|
| Status | Online (green), offline (grey), or unknown (orange) based on device heartbeat |
| Hostname | Short label used in the FQDN (e.g., obp-portal) |
| FQDN | Fully-qualified domain name in the form {hostname}.{slug}.{zone-suffix} |
| IP Address | The IPv4 address the record resolves to |
| Service | Associated service type and port (e.g., HTTPS :443) |
| Source | How the record was created — see source badges below |
| Actions | Delete button (manual records only) |
Source Badges
| Badge | Meaning |
|---|---|
Device (auto_device) | Registered automatically when a VPN device connects |
Connector (auto_connector) | Registered automatically from a paired connector edge |
| Manual | Created manually via the Add Record form |
Auto-created records are read-only and are removed when the associated device or connector is removed. Only manual records can be deleted from this tab.
Adding a Record
- Click Add Record.
- Fill in the form:
| Field | Required | Description |
|---|---|---|
| Hostname | Yes | Lowercase alphanumeric label (e.g., obp-portal). Only a-z, 0-9, and - are accepted. |
| IP Address | Yes | The internal IP the hostname should resolve to (e.g., 100.64.200.2) |
| Service Type | No | Categorize the record using a defined service type |
| Port | No | Override the default port for the selected service type |
| Description | No | Human-readable label (e.g., "OBP Call Center Portal") |
- Click Create. The FQDN preview updates live as you type the hostname.
The FQDN is assembled as: {hostname}.{slug}.{zone-suffix}
Example: a hostname of obp-portal with slug acme and zone suffix sl.internal resolves as obp-portal.acme.sl.internal.
Deleting a Record
Click the trash icon on any manual record. Auto-created records cannot be deleted here — remove the device or connector that generated them instead.
Deleting a record is immediate. VPN clients that have cached the record will fail to resolve it until their DNS cache expires.
Searching Records
Use the search field at the top of the table to filter by hostname.
Service Types Tab
Service types are named categories that attach protocol, port, and URL scheme metadata to DNS records. They appear as options when adding a record and in the Service Directory view of the VPN client app.
Service Type Fields
| Field | Description |
|---|---|
| Name | Display name (e.g., HTTPS, SSH, RDP) |
| Protocol | tcp or udp |
| Default Port | Well-known port for this service |
| URL Scheme | Optional scheme for deep-linking (e.g., https, rdp) |
System-provided service types (marked System) cannot be deleted. Custom types can be removed with the trash icon on their card.
To add a new service type, use the Add Service Type button. Custom types become immediately available in the Add Record form.
Settings Tab
Tenant DNS Slug
The slug is a short, unique identifier inserted between the hostname and the zone suffix in every FQDN. Changing it renames every record for your tenant.
{hostname}.{slug}.{zone-suffix}
^^^^^
this part
The current slug is displayed in the Settings tab. Click Change to edit it.
Changing the slug:
- Updates every FQDN for your tenant immediately.
- Triggers a re-sync to all edge devices in the tenant.
- Requires all VPN clients to reconnect before they can resolve the new names.
- Breaks any existing bookmarks or application shortcuts that used the old FQDNs.
Only change the slug during a planned maintenance window.
Slugs must be lowercase and may only contain letters, digits, and hyphens (a-z, 0-9, -).
Zone Suffix
The zone suffix (default: sl.internal) is set at the platform level and is shared across all tenants. It can be changed in Admin > System > Discovery > Network Services. The .internal TLD is IANA-reserved and has no authoritative public DNS, which prevents macOS split-DNS resolvers from receiving an authoritative NXDOMAIN before the supplemental resolver is queried.
Using a real domain (e.g., vpn.example.com) as the zone suffix causes public DNS servers to return an authoritative NXDOMAIN before the edge CoreDNS resolver gets a chance to answer. IANA-reserved .internal has no public delegation, so operating systems correctly forward unresolved queries to the supplemental DNS server pushed by the VPN connection.