Try free on Pangolin Cloud
Fastest way to get started with Pangolin using the hosted control plane. No credit card required.
10.0.0.1 could be assigned the alias router.internal, and users could connect using either. Aliases are accessible to anyone who has access to the resource, and they are exclusively accessible when connected with a Pangolin client, meaning they function without requiring any external DNS record setup. Furthermore, aliases are protocol agnostic, which means they will work with any network protocol, essentially acting as a pseudo-A record for an address that is only functional within the Pangolin environment.
Overlapping Networks and Loopback on the Site Host
Several situations described on the Destinations page are where an alias is especially important—either optional but strongly recommended, or effectively required. Overlapping IP spaces across sites are common (for example the same RFC1918 subnet behind different Pangolin sites). Pangolin helps route connections without users picking a site by hand, but raw IPs or ambiguous names can still collide across environments. Assigning a distinct alias per resource gives clients a single hostname whose DNS resolution goes through Pangolin, so traffic consistently reaches the intended resource and site instead of whichever overlapping address would otherwise win. See Overlapping destinations across sites. Loopback on the site host is another case: if the resource destination is127.0.0.1 or localhost on the machine running the site, those strings still mean “this machine” on the user’s laptop or desktop—not the remote site. There is no safe way for users to type loopback literals and reach the service behind another host; an alias hostname is required so the client resolves the name via Pangolin and sends traffic over the tunnel to the site, which then forwards to its own loopback. See Loopback on the site host.
CIDRs vs. IPs
An alias can only be created for a resource that is a single host (IP or FQDN). Aliases cannot be created for resources that are CIDR ranges because it would be ambiguous which host within the range the alias should point to.Domain Structure
Since aliases cannot be single-label domains, you must avoid using domain names that do not contain a dot (e.g.,pangolin). A domain like pangolin.net, which includes a dot, is acceptable. Instead of a single-label domain, you should consider using a subdomain of a domain you control, such as router.mywebsite.com, or an existing private/internal domain name, like router.internal or router.corp.
Wildcards
Wildcards allow you to define aliases that match multiple hostnames using special characters in the FQDN. For example, in an alias like*.host-0?.autoco.internal, the asterisk * matches any sequence of characters (including none), and the question mark ? matches exactly one character.
If you use a wildcard such as *.proxy.internal, it will match any hostname that ends with .proxy.internal and has something before the dot—such as host.proxy.internal, longerhost.proxy.internal, or even sub.host.proxy.internal. However, the wildcard will not match the base domain itself (autoco.internal without anything before the dot).
Custom Upstream DNS
Aliases work by overriding the DNS of your computer running the client so that all DNS requests are sent to the Pangolin client for resolution. That behavior is controlled by the Enable Aliases (Override DNS) preference; see Configure Clients. The DNS server on your computer is typically100.96.128.1 (the first address inside of your utility subnet on the org) when connected to the tunnel, which forwards requests to an upstream server. By default, we use 1.1.1.1, but this upstream address can be configured in the CLI or in the client settings.
If you are attempting to set an upstream DNS server that is only accessible via the tunnel, ensure that you create a resource and check the tunnel DNS option in the client configuration settings. Otherwise, connectivity to the server may fail when connected to the tunnel. Enable Aliases (Override DNS) must also be on—see Configure Clients—so the client can intercept DNS and forward queries to the upstream server.