https://live.paloaltonetworks.com/t5/globalprotect-discussions/comcast-domain-suffix-getting-appended-into-dns-requests-over/m-p/511633#M3075 <P>I ran a packet capture on PAN to try and figure out an intermittent problem with one of my GP 5.2.5.66 users (Windows, Surface Pro) where certain web based or internal applications will just start working. The external are Outlook O365, Teams for example. If he disables GP then everything starts working again. We verified he's connected to VPN during these periods of failure and narrowed to a DNS problem. When I ran a pcap on the PAN, I could see that his system was first sending a query for the expected domain&nbsp;</P> <P>with the host - say scooper-p01.acme.com. But then the next packet would be trying to resolve scooper.hdcl.fl.comcast.net.&nbsp;<BR />So while his system was clearly connected to GP VPN (I couldn't have grabbed the packets otherwise), the presumed suffix&nbsp;<BR />was changing one DNS lookup to another. Has anyone seen anything like this? Any recommended fix?&nbsp;</P> Thu, 11 Aug 2022 22:24:12 GMT MichaelMedwid 2022-08-11T22:24:12Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/comcast-domain-suffix-getting-appended-into-dns-requests-over/m-p/511633#M3075 <P>I ran a packet capture on PAN to try and figure out an intermittent problem with one of my GP 5.2.5.66 users (Windows, Surface Pro) where certain web based or internal applications will just start working. The external are Outlook O365, Teams for example. If he disables GP then everything starts working again. We verified he's connected to VPN during these periods of failure and narrowed to a DNS problem. When I ran a pcap on the PAN, I could see that his system was first sending a query for the expected domain&nbsp;</P> <P>with the host - say scooper-p01.acme.com. But then the next packet would be trying to resolve scooper.hdcl.fl.comcast.net.&nbsp;<BR />So while his system was clearly connected to GP VPN (I couldn't have grabbed the packets otherwise), the presumed suffix&nbsp;<BR />was changing one DNS lookup to another. Has anyone seen anything like this? Any recommended fix?&nbsp;</P> Thu, 11 Aug 2022 22:24:12 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/comcast-domain-suffix-getting-appended-into-dns-requests-over/m-p/511633#M3075 MichaelMedwid 2022-08-11T22:24:12Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/comcast-domain-suffix-getting-appended-into-dns-requests-over/m-p/511912#M3082 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132469">@MichaelMedwid</a>,</P> <P>Since 5.2.5 is relatively older at this point and a brief glance through the latest release notes show a few suffix fixes alongside split tunnel fixes that saw split DNS requesting DNS across both interfaces, I would highly recommend allowing this user to just try running 5.2.12 and seeing if they run into the same issue. It's possible that they're running into a bug that has been fixed in a later release, and since 5.2.12 fixes the OpenSSL infinite loop vulnerability I would recommend getting it deployed to everyone anyways.&nbsp;</P> Tue, 16 Aug 2022 01:50:49 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/comcast-domain-suffix-getting-appended-into-dns-requests-over/m-p/511912#M3082 BPry 2022-08-16T01:50:49Z