nslookup behaviour when using GlobalProtect Split tunnel for DNS
10229
Created On 01/04/24 03:20 AM - Last Modified 05/18/24 04:01 AM
Symptom
- GlobalProtect Split tunnel for DNS is configured
- The option Resolve All FQDNs Using the DNS servers Assigned by the Tunnel (Windows Only) feature is set to No.
- Some specific FQDN's are configured in excluded domains to be resolved by the local DNS/adapter. Example domain1.org.com
- The feature is working as expected (ie: the users can access the application or ping it as expected)
- When the user tries to resolve the excluded domain via nslookup command, the response is a failure. (here 192.168.1.1 is the DNS server for Global protect gateway)
C:\Users\admin>nslookup domain1.org.com Server: UnKnown Address: 192.168.1.1 <<< Global protect assigned DNS server. *** UnKnown can't find domain1.org.com: Non-existent domain
Environment
- GlobalProtect (GP) App version 5.2 or above
- Split tunnel for DNS
Cause
- nslookup will send the DNS request to all the adapters.
- The PanGP adapter will block the DNS request as per configuration.
- nslookup displays the response from the PanGP adapter which is the expected response of non-existent domain.
- The physical adapter will still resolve as per the configuration and so the web sites are still reachable when using protocols such as "web browser" or "ping".
- This behavior is as expected.
Resolution
- The FQDN name resolution should work fine when using "protocols" to access the domain. such as "ping" or web browser".
- Use ping command or web browser to access the FDQN and confirm its working.
- If the ping and web browser does not work, do a packet capture using wireshark and open a Support case for investigation.
Additional Information
https://live.paloaltonetworks.com/t5/globalprotect-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/ta-p/321075