GlobalProtect - DNS client resolutions can fail when DNS Split Tunneling is enabled

GlobalProtect - DNS client resolutions can fail when DNS Split Tunneling is enabled

17301
Created On 06/22/22 15:25 PM - Last Modified 03/23/23 00:11 AM


Symptom


  • GlobalProtect will respond with NXDOMAIN code if the interface heading the DNS request is not congruent with the Split Tunnel Exclude/Include domain match. 
  • The “reply no such name = 1” and  the “ST,READER, return reject DNS now” logs are seen in PanGPS Dump logs:
(P6160-T6308)Dump (  91): 06/11/22 15:27:24:908 Received DNS request for ctldl.windowsupdate.com with type 1
(P6160-T6308)Dump (1585): 06/11/22 15:27:24:908 Domain name ctldl.windowsupdate.com matches exclude wildcard domain
(P6160-T6308)Dump ( 531): 06/11/22 15:27:24:908 EnforceSplitDns, ret1=0, ret2=-1, type1=4, type2=0 (3/4-in/exclude), bReplyNoSuchName=1
(P6160-T6308)Dump ( 532): 06/11/22 15:27:24:908 EnforceSplitDns, qname=ctldl.windowsupdate.com, from tunnel=1, reply no such name = 1
(P6160-T6308)Dump ( 590): 06/11/22 15:27:24:908 EnforceSplitDns: Handle DNS request ctldl.windowsupdate.com to server 192.168.1.30
(P6160-T6308)Dump ( 942): 06/11/22 15:27:24:908 HandleDnsCallback result=split dns
(P6160-T6308)Dump ( 615): 06/11/22 15:27:24:908 ST,READER, return reject DNS now

Environment


  • Windows 10 client
  • GlobalProtect 5.2 or higher
  • GlobalProtect Portal and Gateway
  • All PAN-OS
  • Split-Tunnel Option set to “Both Network Traffic and DNS” on Portal agent config
  • GP tunnel and client local interfaces configured with the same DNS servers
  • Split Tunnel Include/Exclude Domain list configured

Cause


  • If the client is configured with the same DNS servers for the GP and local interfaces, the DNS Split Tunnel feature will not work correctly. 
  • The same may also happen when no DNS servers are defined on the Gateway Agent configuration and GP App will use the DNS servers defined on the local interface.
  • The reason is that this feature in GP has been designed to differentiate the target DNS server (VPN assigned or local) based on the requested domain.
  • Moreover, the Split DNS feature in GP all depends on the DNS queries from the Windows DNS client (stub resolver) and when the same DNS server is configured on multiple interfaces its behavior is not defined.

In this example:
  • *.windowsupdate.com is configured in the Split Tunnel Exclude Domain list
  • The interface heading the DNS query is the GP tunnel instead (tunnel=1) so it doesn’t match the excluded rule
  • GP responds with NXDOMAIN (reply no such name = 1)
(P6160-T6308)Dump ( 532): 06/11/22 15:27:24:908 EnforceSplitDns, qname=ctldl.windowsupdate.com, from tunnel=1, reply no such name = 1
  • Windows DNS client doesn’t send any DNS request through the local adapter so the client will end up in failing the resolution for the requested domain.

Resolution


The DNS server must be configured on the Gateway and it has to be different from the local DNS servers.

Network > GlobalProtect > Gateways > <gateway-config> > Agent > Client Settings > <client-config> > Network Services
image.png
    or Network > GlobalProtect > Gateways > <gateway-config> > Agent > Network Services
    image.png
     

    Additional Information


    21 Mar 23 (Vijay) - Article updated with Prathyusha and published external.
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Cq90CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Choose Language