Understanding DNS Aliases and IP Subnets in Pangolin

Networking
,
1

Understanding DNS Aliases and IP Subnets in Pangolin

This document explains how DNS aliases work in Pangolin and clarifies the different IP subnets you’ll encounter.

The Two Subnets

When using Pangolin’s VPN client, you’ll see two different IP ranges:

Subnet Purpose Example
100.90.x.x Peer Network Site connectors, routing traffic between peers
100.96.x.x Utility Subnet DNS alias addresses, DNS queries

Why Two Subnets?

  • 100.90.x.x (Peer Network): Used for WireGuard peer connections. This is what you see in the Pangolin dashboard for sites. Traffic is routed through these addresses to reach your actual resources.

  • 100.96.x.x (Utility Subnet): Used for DNS resolution and alias addresses. When you query a DNS alias, it resolves to an address in this range.

How DNS Aliases Work

When you create a Private Resource with a DNS alias (e.g., grafana.internal), here’s what happens:

┌─────────────────────────────────────────────────────────────────┐
│                        DNS Resolution Flow                       │
└─────────────────────────────────────────────────────────────────┘

1. You query: grafana.internal
                    │
                    ▼
2. Query goes to Pangolin DNS server (100.96.128.1)
                    │
                    ▼
3. Returns utility subnet IP: 100.96.128.x
                    │
                    ▼
4. Traffic to 100.96.128.x is routed through the tunnel
                    │
                    ▼
5. Newt (site connector) forwards to actual destination
                    │
                    ▼
6. Reaches your resource (e.g., 192.168.1.50:3000)

Example: What You’ll See

In the Pangolin Dashboard

Site: Home Lab
  IP: 100.90.128.5    ← Peer network address

Private Resource: Grafana
  Destination: 192.168.1.50
  DNS Alias: grafana.internal

When You Run dig

$ dig @100.96.128.1 grafana.internal

;; ANSWER SECTION:
grafana.internal.    300    IN    A    100.96.128.8
                                       ▲
                                       └── Utility subnet, NOT 100.90.x.x

This is Expected Behavior

The DNS alias resolves to 100.96.128.8 (utility subnet), not 100.90.128.5 (peer network shown in dashboard).

Why? The utility subnet address is used for DNS-based routing. When you connect to 100.96.128.8, Pangolin routes the traffic through the correct site connector to reach your actual resource.

Common Confusion Points

“The IP from dig doesn’t match the dashboard!”

Expected. Dashboard shows peer network IPs (100.90.x.x). DNS aliases resolve to utility subnet IPs (100.96.x.x). Both are correct.

“I see another client’s IP in my DNS response!”

Not actually another client’s IP. The 100.96.x.x addresses are assigned for DNS alias routing. They may look similar to other addresses but serve a different purpose.

“Which IP should I use?”

Use Case IP to Use
DNS alias configured Use the alias: grafana.internal
Direct IP access Use the actual resource IP: 192.168.1.50
Debugging connectivity Check peer network IP in dashboard

DNS Resolution Path

DNS queries in Pangolin follow this path:

Your Device
    │
    ▼
Pangolin Client (intercepts DNS for configured aliases)
    │
    ▼
Query sent over WireGuard tunnel
    │
    ▼
Newt (site connector) receives query
    │
    ▼
Newt resolves using configured DNS or forwards to your DNS server
    │
    ▼
Response returns through tunnel

Key point: Newt handles the final DNS resolution, not your local machine. You can configure Newt to use your own DNS server (like Pi-hole), and it will handle queries on your behalf.

Subnet Reference

Address Purpose
100.96.128.1 Pangolin DNS server (query DNS aliases here)
100.96.128.x Utility addresses for DNS aliases
100.90.128.x Peer network addresses (sites, clients)
192.168.x.x, 10.x.x.x, etc. Your actual resource IPs (behind Newt)

Verifying DNS is Working

Test DNS Resolution

# Query Pangolin's DNS server directly
dig @100.96.128.1 your-alias.internal

# Expected: Returns 100.96.x.x address

Test Connectivity

# Ping the alias (should work if connected)
ping your-alias.internal

# Or use the resolved IP
ping 100.96.128.x

Test the Actual Service

# Access your service
curl http://your-alias.internal:3000

Troubleshooting

DNS Alias Not Resolving

  1. Check client is connected (status should show connected/orange)
  2. Verify alias is configured in the Private Resource settings
  3. Flush local DNS cache:
    # macOS
sudo dscacheutil -flushcache

# Windows
ipconfig /flushdns

# Linux
sudo systemd-resolve --flush-caches

Can Resolve But Can’t Connect

  1. DNS is working (you get a 100.96.x.x response)
  2. Check the site is online in Pangolin dashboard
  3. Verify Newt can reach the resource on the local network
  4. Check you have access to the Private Resource (user/role assigned)

Wrong IP in Dashboard After Upgrade

After upgrading to Pangolin 1.13+, site IPs may have changed. This is normal. The peer network IPs (100.90.x.x) are assigned dynamically. Your DNS aliases and routing will still work correctly.

Summary

What You See What It Means
100.90.x.x in dashboard Peer network address for site/client
100.96.x.x from DNS query Utility subnet address for alias routing
Both are different This is correct and expected
Traffic still works Pangolin routes through the correct path

Bottom line: Don’t worry if the IPs don’t match between the dashboard and DNS queries. They serve different purposes, and your traffic will be routed correctly through the tunnel to your actual resources.