Configure Per-App Tunnel DNS entries for Android and Windows 10 devices


You must create a DNS entry to resolve a connection to a website through the Per-App VMware Workspace ONE Tunnel from Android and Windows 10 devices. When using the Basic configuration, the Workspace ONE Tunnel server hosting the Per-App Tunnel component must be able to resolve the requests. If you are using the Cascade mode configuration, the Backend server only must be able to resolve the request. Configure the resolution by either:

  • Directly giving the host server or relay server access to an internal DNS server that is able to resolve the desired hostnames.
  • Deploying the dnsmasq service. See the Workaround for more information.



  • Navigate to the /etc/hosts file on the Workspace ONE Tunnel Backend server (or if not using Cascade mode, then just on your Frontend server).
  • Edit the file to add any domains and their corresponding IP addresses you want to access through the Workspace ONE Tunnel.
  • Verify the dnsmasq service is installed on the server:
    • yum install dnsmasq
    • For CentOS/RHEL systems, execute the following command as a root/sudo user. This service is preinstalled on the VMware Workspace ONE Unified Access Gateway (UAG) Tunnel appliance.
  • By default, dnsmasq does not run automatically upon install or reboot of the system. Configure the service to run automatically.
    • systemctl enable dnsmasq.service
    • systemctl start dnsmasq.service
    • service dnsmasq start
    • Check with your Linux administrator on how to set the service to initialize every time the server is rebooted.
    • For CentOS/RHEL 7 or Workspace ONE Tunnel appliance, run these commands as a root/sudo user:
    • For CentOS/RHEL 6, run these commands as a root/sudo user:
  • Check that the dnsmasq service is correctly resolving your address (e.g. For this you can run a command and verify it returns the correct IP address. If not, try restarting the dnsmasq service and testing again.
    • nslookup
  • Modify the parameters in the /opt/vmware/tunnel/vpnd/server.conf file:
    • Uncomment the line by deleting the leading semicolon character and enter the IP address of the Linux box that is hosting the Tunnel server.
    • If applicable, uncomment and add secondary DNS server.
    • ;dns_server_address_1
    • ;dns_server_address_2
    • For example, if your server IP is, this parameter would now look like:
      • dns_server_address_1
    • Note: Do not use or localhost as the DNS entry because it will cause the device to attempt to use itself to resolve the DNS entries.
    • Additional Note: If your server IP is in the subnet, you will also need to update the subnet and/or subnet_mask parameters in this same conf file so that it does not fall into the same subnet. For example, if your Tunnel server IP is, you could use the following parameter values:
      • dns_server_address_1
      • subnet
      • subnet_mask
  • Restart the vpnd service
    • service vpnd restart


Note: This article has been updated to apply to the Cascade mode of Tunnel Per-App VPN which was introduced in Workspace ONE UEM 9.1. If you are using a 9.0 or older version of the Tunnel Per-app VPN and using the Relay-Endpoint mode the above will still apply, however please make these changes on the Tunnel Frontend/Relay server instead of the Backend/Endpoint server.

Have more questions? Submit a request


Article is closed for comments.