GlobalProtect Windows App cannot resolve local network's domain names

GlobalProtect Windows App cannot resolve local network's domain names

3825
Created On 05/11/23 14:19 PM - Last Modified 09/28/23 12:39 PM


Symptom


  • When the option "Resolve All FQDNs Using DNS Servers Assigned by the Tunnel (Windows Only)" is set to Yes (default), GlobalProtect replies with NXDOMAIN code to every DNS request directed to DNS servers that have not been pushed by the GlobalProtect Gateway.
  • The “reply no such name = 1” and  the “ST,READER, return reject DNS now” logs are seen in the PanGPS Dump logs :
(P2808-T6804)Dump (  91): 05/11/23 16:45:41:352 Received DNS request for home.local with type 1
(P2808-T6804)Dump ( 531): 05/11/23 16:45:41:352 EnforceSplitDns, ret1=-1, ret2=-1, type1=0, type2=0 (3/4-in/exclude), bReplyNoSuchName=1
(P2808-T6804)Dump ( 532): 05/11/23 16:45:41:352 EnforceSplitDns, qname=home.local, from tunnel=0, reply no such name = 1
(P2808-T6804)Dump ( 590): 05/11/23 16:45:41:352 EnforceSplitDns: Handle DNS request home.local to server 192.168.3.50
(P2808-T6804)Dump ( 937): 05/11/23 16:45:41:352 HandleDnsCallback result=split dns
(P2808-T6804)Dump ( 611): 05/11/23 16:45:41:352 ST,READER, return reject DNS now


Environment


  • Windows 10 client
  • GlobalProtect 5.2 or higher
  • All PAN-OS
  • DNS Split is disabled > Split-Tunnel Option set to “Network Traffic Only” (default)
  • Resolve All FQDNs Using DNS Servers Assigned by the Tunnel (Windows Only) set to Yes (default)

Cause


  • All the DNS requests directed to the DNS server assigned to the local physical adapter will be rejected by GlobalProtect client (with the NXDOMAIN reply).
  • With this setting turned on, GlobalProtect will reply with NXDOMAIN in case:
    • The DNS request is not forwarded to the GP tunnel interface 
    • The DNS request is forwarded to the GP tunnel interface to a DNS server not pushed by the Gateway
In our example:
  • home.local is the client local domain and 192.168.3.50 is the DNS server assigned to the physical adapter.
  • The interface heading the DNS query is the physical interface (from tunnel=0) so GP responds with NXDOMAIN (reply no such name = 1)
(P2808-T6804)Dump ( 532): 05/11/23 16:45:41:352 EnforceSplitDns, qname=home.local, from tunnel=0, reply no such name = 1

Resolution


Set the option "Resolve All FQDNs Using DNS Servers Assigned by the Tunnel (Windows Only)" to No.

GUI: Network > GlobalProtect > Portals > <portal-config> > Agent > <agent-config> > App 
image.png
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000g1lzCAA&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language