How to configure Split DNS

How to configure Split DNS

16887
Created On 10/23/20 11:49 AM - Last Modified 03/29/21 14:44 PM


Objective
The article explains how to configure Split DNS with the use of exclude domain split-tunnel.

 


Environment
  • Global protect 5.2 or higher.
  • Palo Alto Firewall.
  • PAN-OS 8.1 and above.
  • Content Release Version 8284-6139 or later.


 


Procedure
Domain based split tunneling and Split DNS should be configured as follows:
  1. Select Network > GlobalProtect > Gateways > <gateway-config> to modify an existing gateway.
  2. In the GlobalProtect Gateway Configuration dialog, select Agent > Tunnel Settings and enable the Tunnel Mode.
  3. In the GlobalProtect Gateway Configuration dialog, select Agent > Client Settings > <client-setting-config> to select an existing client settings configuration.
  4. Go to Split Tunnel > Domain and Application > Exclude Domain and add domain names that you want to exclude from the VPN tunnel using the destination domain and port.
  5. Go to Split Tunnel > Domain and Application > Include Domain to add the domain names in the list that you want to route to GlobalProtect through the VPN connection using the destination domain and port.
  6. Click OK to save the Split tunnel settings.
  7. Go back to Network > GlobalProtect > Portals and select the pertinent Portal.
  8. On the Agent tab, select the agent configuration that you want to modify.
  9. Select the App tab and set the value for "Split Tunnel Option" as "Both network traffic and DNS".


    Additional Information
    Pre-requisites for SplitDNS:
    • GlobalProtect 5.2 or higher
    • GlobalProtect License
    • The client system should be Windows 10 or macOS running macOS Catalina 10.15.4 or later
    • The firewall should have Content Release Version 8284-6139 or later installed
    Note: This Split DNS feature pairs up with 'Domain-based split tunneling' and is responsible for making use of alternate DNS server only when the traffic is not routed through the tunnel. 
    This feature cannot work with Route or Application based split tunneling configured on the GlobalProtect gateway. For more details, refer to the following links.

    Split Tunnel
    Split Tunnel Based on Domain and Application


    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBJ5CAO&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Attachments
    Choose Language