Okta Access Gateway Application Fails to Resolve Protected Resource Hostname Using Local Hosts Entry
Last Updated:
Overview
An Okta Access Gateway (OAG) application relying on a local host's entry to resolve a Protected Resource hostname queries external DNS instead, causing access to fail.
Clients accessing the application encounter the following Okta Access Gateway-branded error:
Application is not resolvable in DNS
The OAG logs may show errors similar to the following, indicating OAG is trying and failing to query external DNS instead of using the hosts entry
[lua] authSession.lua:570: getUpstreamAddr(): dns.get failed for host: (hostname.domain) err: dns server error: 3 name error
DNS_RESOLVE_FAILURE
DNS failure resolving host: (hostname.domain)Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Okta Access Gateway (OAG)
Cause
NGINX does not refresh automatically to recognize new host entries. When the host's entry creation occurs on the affected Okta Access Gateway node after the latest NGINX reload, NGINX remains unaware of the update. An NGINX reload is necessary to utilize any newly created host entries.
Solution
How is the DNS resolution failure resolved?
Reload NGINX to allow Okta Access Gateway to utilize the newly created host entries. Trigger an application update from the Okta Access Gateway Admin Console, or manually reload* NGINX via the Console Shell.
To perform the manual reload using the Management Console:
- Navigate to the Management Console.
- Enter 5 to select System.
- Enter 0 to select Launch Shell.
- Execute the following command:
sudo systemctl reload okta-nginx
