HYAS Agent Configuration

• What it is:
  Local Resolution Settings allow the HYAS Protect Agent to resolve internal domain names using your organization’s internal DNS infrastructure. This ensures that private or internal services—like intranet portals, authentication servers, or application endpoints—are resolved locally rather than being sent to external DNS resolvers.

This configuration consists of two components:

• Local Domains: The internal domains you want to resolve locally.

• Local Resolvers: The internal DNS servers that will be used to resolve those domains.

• Why you’d configure it:
  To ensure seamless access to internal systems while keeping sensitive DNS traffic inside your trusted network. It improves performance, prevents resolution failures, and avoids exposing internal domain names to public DNS resolvers.

• If you don’t configure it (or configure it incorrectly):

  • Internal domains may not resolve, breaking access to critical services.

  • DNS queries for sensitive internal domains may be sent to external resolvers, increasing the risk of exposure.

  • HYAS Protect Agents will be unable to properly differentiate internal DNS traffic, especially in split-horizon environments.

• How to configure it:

  • In the Local Domains field:

    • Enter each internal domain that should resolve through your internal DNS infrastructure.

    • Each domain must include a second-level domain (SLD) and top-level domain (TLD).

  • In the Local Resolvers field:

    • Enter the IP address(es) of your internal DNS servers.

    • Use valid IPv4 or IPv6 addresses only.

  • Save the configuration, (bottom of page)

Split-Horizon DNS: Local Network Test

What it is

A test the HYAS Protect Agent performs to determine whether a device is on a trusted internal network. The Agent queries a domain that resolves differently inside your organization and checks whether the returned value matches the expected internal IP address.

Why you’d configure it

Configuring Split-Horizon DNS allows the Agent to recognize internal networks and route internal-only domains through the correct DNS servers. This is essential for accessing private applications, preventing internal traffic from being sent externally, and ensuring that policies designed for trusted networks behave correctly.

If you don’t configure it

The Agent assumes the device is always external. This may prevent internal domains from resolving, break access to internal applications, and cause the Agent to apply external network behavior even when the device is on a trusted internal network.

Multiple Split-Horizon Profiles

What it is

Multiple Split-Horizon profiles allow you to define separate DNS behaviors for different internal network locations. Each profile contains its own test query, expected internal value, resolver IPs, and local domains.

Why you’d configure it

Many organizations operate multiple internal environments that use different DNS resolvers or internal routing rules. Multiple profiles ensure the Agent can detect exactly which internal network the device is connected to and apply the correct DNS behavior for that location. This is important when users move between offices, datacenters, or segmented internal networks.

If you don’t configure it

The Agent will treat all internal locations as if they are the same. Devices in secondary offices or alternative internal networks may resolve internal domains incorrectly, route DNS to the wrong server, or fail internal application access entirely.

Local Resolution Settings

What it is

Local Resolution Settings define the internal domains that should always be resolved using internal DNS servers whenever the Agent detects the device on a matching internal network.

Why you’d configure it

Organizations often rely on internal subdomains, private hostnames, or on-prem services that cannot be resolved externally. Local Resolution ensures those domains are routed to the correct internal resolvers and prevents internal queries from being sent to external DNS providers.

If you don’t configure it

Internal domains may fail to resolve or may be leaked externally. Applications that depend on internal DNS will not function reliably, and internal routing rules may not be applied.

Global Resolution Settings

What it is

Global Resolution Settings define a set of domains and DNS resolvers that apply across all networks, whether internal or external. These settings serve as a centralized baseline configuration that does not change based on location.

Why you’d configure it

Global Resolution is useful when your organization uses centralized DNS infrastructure, requires certain domains to always resolve through trusted resolvers, or wants to ensure consistent DNS behavior for specific domains regardless of where the device is located. It reduces duplication by letting you define shared resolver rules once instead of repeating them in each profile.

If you don’t configure it

Any domains that should be routed consistently across all networks may resolve unpredictably or rely on public DNS unintentionally. You may also end up duplicating configuration across multiple profiles, increasing complexity and the risk of misconfiguration.

• What it is:
  This option allows the agent to automatically disable itself when it detects that it's on a trusted internal network.

• Why you’d configure it:
  To reduce unnecessary DNS enforcement or prevent conflicts with internal DNS policies while on a secure internal network. Useful for environments that already monitor DNS internally or have strict internal routing setups.

• If you don’t configure it (or configure it incorrectly):
  The agent will continue enforcing policies and intercepting DNS—even on internal networks—potentially leading to duplicate logging, policy conflicts, or unnecessary complexity.
  Note: This setting requires the Local Network Test to be properly configured.

• How to Configure:

  • Configure Split-Horizon DNS: Local Network Test (instructions above)

  • Enable ‘Disable Agent on Local Network’

  • Save the configuration (bottom of the page)

• What it is:
  This setting forces Safe Search to be enabled on supported search engines (Google, YouTube, Bing, and DuckDuckGo), helping filter out explicit or inappropriate content.

• Why you’d configure it:
  To support compliance with internet safety policies, especially in education, public sector, or regulated industries. It adds a layer of content control at the DNS level.

• If you don’t configure it:
  Users can disable Safe Search in their browser or search engine settings, and DNS will not enforce restrictions—potentially exposing the organization to policy violations or inappropriate content.

• How to configure:

  • Enable ‘Safe Search’

  • Save the configuration (bottom of the page)

• What it is:
  This optional setting allows end users to disable the HYAS Protect Agent for five (5) minutes at a time.

• Why you’d configure it:
  To give users flexibility when encountering restrictive environments like captive portals (e.g., hotel or airport Wi-Fi login pages) that may require temporary DNS bypassing.

• If you don’t configure it:
  Users may not be able to complete logins or network registration on certain public Wi-Fi networks, leading to access issues and increased support tickets.

• How to configure:

  • Enable ‘Allow Employees to Temporarily Disable Agent’

  • Save the configuration (bottom of the page)