Prisma Access's DNS proxy behavior when Primary DNS server is down for Internal Domains on Mobile Users or Remote Networks

• When the configured Primary DNS server is down, the client may experience the DNS resolution timeout for the configured domains.
• This is explained using the following example. These are the settings  configured for Mobile Users Onboarding
  • Internal Domains
  • Primary DNS Server : 192.168.0.45
  • Secondary DNS Server : 192.168.0.50
  • Domain List : *.test.local

• Prisma Access(SASE)
• Mobile Users(MU)
• Remote Networks(RN)

Here is an sample scenario when the Primary DNS Server is down via MU GW.

1. A client machine tries to resolve the domain "abc.test.local" via GP Client.
2. The client machine sends DNS queries for "abc.test.local" to a DNS Proxy working on MU GW.
3. If the DNS proxy on MU GW does not have DNS cache entries for "abc.test.local", it sends DNS queries to the configured Primary DNS server for the Internal Domains.
4. If there is no reply from the Primary DNS server for 10 sec (2 seconds x 5 times), the DNS Proxy sends queries to the Secondary DNS server.
5. If the Secondary DNS server replies DNS records, the DNS Proxy replies them to the client machine and adds the records to own DNS Proxy cache table, then holds it till TTL has been expired.
6. When TTL has been expired, the entries will be removed from the table.
7. If the DNS proxy receives the DNS query for "abc.test.local" from the client machine again after TTL expiration, it goes back to Step 3).

Thus, the client machine may see DNS resolution timeout during the first DNS resolution try if the resolution timeout threshold is set as 10 seconds or low in the client machine.

Change the UDP Queries Retries value in the Onboarding setting.
Setting a small value may reduce the DNS resolution timeout seen in the client machines.

• DNS Resolution for Mobile Users—GlobalProtect and Remote Network Deployments
• Set Up GlobalProtect on Panorama Managed Prisma Access