topic Re: DNS suffix not applying in GlobalProtect Discussions

DNS suffix not applying

COlson — Tue, 08 Dec 2020 18:49:58 GMT

Hello,

I have deployed a GlobalProtect gateway in an office that uses a different domain than our own. To that end, I have added their dns suffix to the gateway but when I connect onto that gateway, the suffix is never appended. I cannot access their domain resources unless I use FQDN. In the logs, I see the config being sent and it does include the DNS suffix so I'm not sure why it won't be appended?

Thanks.

Re: DNS suffix not applying

Mick_Ball — Thu, 10 Dec 2020 13:17:25 GMT

are you applying this suffix in the gateway global config or in the client configuration settings.

It only seems to work for us if we add it to the global gateway setting for network services, we just seperate with a comma.

Re: DNS suffix not applying

Mick_Ball — Thu, 10 Dec 2020 13:34:18 GMT

Also,,,]

not sure where you are seeing the info sent but the GP logs are showing this...

when i add fred.com to gateway settings..

</dns>

<wins>

</wins>

<dns-suffix>

<member>fred.com</member>

</dns-suffix>

when i add fred.com to client settings

</dns>

<wins>

</wins>

<dns-suffix>

</dns-suffix>

seems to be not working and dns reverts to local suffix prior to VPN connection.

Re: DNS suffix not applying

COlson — Thu, 10 Dec 2020 13:40:00 GMT

Hi,

I have added the DNS suffix under Gateway-->Agent-->Network Services. And I see the same thing in the log that you posted, the DNS suffix shows as being processed, but when that DNS suffix does not show up ipconfig or in the adapter settings for GlobalProtect and when I try and contact by hostname only FQDN works. So it's as though the config for DNS suffix is processed but never actually applied as far as I can see.

Re: DNS suffix not applying

Mick_Ball — Thu, 10 Dec 2020 13:48:17 GMT

I also see no suffix in the ipconfig setting but wireshark port 53 showed that the suffix was added for DNS,

Re: DNS suffix not applying

COlson — Thu, 10 Dec 2020 14:04:06 GMT

When I do a ping hostname and look in wireshark, I see the DNS request to the proper DNS server but it uses the DNS suffix from the local machine (there are actually two and it tries both), not the DNS that should be applied via GlobalProtect.

Re: DNS suffix not applying

Mick_Ball — Thu, 10 Dec 2020 14:22:17 GMT

Hmmm... yes thats correct... but would that matter.... i suppose the only issue would be if you had servers with the same name on different domains... apart from that, as long as it resolves would it really matter? works ok for me.... perhaps you are having other issues with this.

Re: DNS suffix not applying

Mick_Ball — Thu, 10 Dec 2020 14:30:22 GMT

this id comment from PAN.

"This is expected behavior as the DNS suffix is just a linear list of suffixes to search, and is not adapter dependent."

so it's not supposed to reconfigure the adapter, just add a search suffix.

Re: DNS suffix not applying

COlson — Thu, 10 Dec 2020 14:33:46 GMT

I had read that as well... but unfortunately, it doesn't seem to be adding the suffix.

It's not resolving properly. So, my laptop is in domain A and receives DNS suffix for domain A and domain B. GlobalProtect has a DNS suffix for domain C. So when I connect to the GP gateway, I want to be able to resolve hostnames for domain C without FQDN but when I ping hostname, Wireshark shows DNS is trying hostname.domain A and hostname.domain B (which fails because the hostname is only in domain C) and then returns that the host can't be found.

Re: DNS suffix not applying

Mick_Ball — Thu, 10 Dec 2020 15:03:57 GMT

Oh i see.... so where exactly are you getting domain B suffix from, is that set on the adapter...

Re: DNS suffix not applying

COlson — Thu, 10 Dec 2020 16:16:46 GMT

DomainA and DomainB DNS suffix are received via GPO.

Re: DNS suffix not applying

Mick_Ball — Thu, 10 Dec 2020 16:22:21 GMT

I have a few local domains on my NIC and have added these additional ones to GP Gateway...

on GP connection my ipconfig /all shows

and when i ping elzzzbelzzzz i see this in wireshark

so it does work and i have no idea why it wouldn't work for you....

I am using PAN 9.1.6 and GP 5.2

Re: DNS suffix not applying

Mick_Ball — Thu, 10 Dec 2020 16:25:01 GMT

perhaps GPO takes precedence here..... our suffix is part of the image...

Re: DNS suffix not applying

Mick_Ball — Thu, 10 Dec 2020 16:32:24 GMT

you could try this...

> Run gpedit.msc
> Browse Local Computer Policy
> Computer Configuration
> Administrative Templates -> Network -> DNS Client

Enable "Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries"

Re: DNS suffix not applying

COlson — Thu, 10 Dec 2020 18:51:26 GMT

Based on what you're showing, it would seem that GPO would indeed take a precedence; which makes the DNS suffix option not useful. Although, I'm unable to find it anywhere in their documentation that confirms or denies that.

Re: DNS suffix not applying

Erasmo — Wed, 23 Dec 2020 16:12:06 GMT

Did you find a solution for your issue? I am running into the exact same scenrario. On our PAN device, we configured the DNS suffix in DHCP options to add it. But once the GP client connects and we check ip config the dns suffix is not there.