Overview

End users in SIA-only orgs or in SPA and SIA orgs are unable to access private domains.

Symptoms

• End users receive a timeout error (e.g.,DNS_PROBE_FINISHED_NXDOMAIN ) when attempting to access a private domain.

Potential Root Cause(s)

• The swg (Secure Web Gateway) agent is agnostic to the domain type (i.e., it doesn't distinguish between internet domains and private domains); therefore, when end users request a private domain, the DNS server associated with the SWG agent is unable to resolve the DNS request, because it doesn't recognize the private domain and can't associate it to a public IP address.

Resolution Steps

Add a domain bypass for each of your org's private domains:

1. In the Cloud Secure Edge Command Center, navigate from Internet Access > Internet Threat Protection, and select the relevant ITP policy.

2. Select the Edit icon (i.e., the pencil icon), and under the Blocking and Bypass tab, go to the Domain Bypass toggle.

3. Enter the private domain(s) that you want to bypass Blocking.