https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-to-gp-clients/m-p/171235#M54192 <P>Have you been able to troubleshoot the user's complaints? using the DNS proxy configuration should be the method to accomplish this requirement</P> <P>&nbsp;</P> <P>how did you configure it exactly?</P> Fri, 11 Aug 2017 08:29:15 GMT reaper 2017-08-11T08:29:15Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-to-gp-clients/m-p/171213#M54187 <P>DNS configured in GP settings: Primary DNS 10.250.1.1, secondary DNS 10.250.1.2</P><P>&nbsp;</P><P>Access route: split tunnel- 10.250.0.0/16 allowed in GP.</P><P>&nbsp;</P><P>Once clients are connected to globalprotect, they are getting the above DNS settings. so the traffic going to internet also resolving in above Internal DNS server.</P><P>&nbsp;</P><P>Now i have the requirement for GP users, when traffic going to internet, it should resolve using public DNS say 8.8.8.8 or 4.2.2.2</P><P>and the traffic going to 10.250.0.0/16 to GP tunnel should resolve to&nbsp;<SPAN>DNS 10.250.1.1, secondary DNS 10.250.1.2.</SPAN></P><P>&nbsp;</P><P><SPAN>I have configured as per below KB for fulfil the above requirement. its working fine, some of the users complain about internal DNS server issue for GP connected internal sites sometimes. However internet traffic resolution working fine. so we have removed this config</SPAN></P><P>&nbsp;</P><P><SPAN><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Proxy-for-GlobalProtect-Clients/ta-p/124541" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Proxy-for-GlobalProtect-Clients/ta-p/124541</A></SPAN></P><P>&nbsp;</P><P><SPAN>Kindly suggest if there is any workaround for this requirement</SPAN></P><P>&nbsp;</P><P><SPAN>&nbsp;</SPAN></P> Fri, 11 Aug 2017 07:24:23 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-to-gp-clients/m-p/171213#M54187 Javith_Ali 2017-08-11T07:24:23Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-to-gp-clients/m-p/171235#M54192 <P>Have you been able to troubleshoot the user's complaints? using the DNS proxy configuration should be the method to accomplish this requirement</P> <P>&nbsp;</P> <P>how did you configure it exactly?</P> Fri, 11 Aug 2017 08:29:15 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-to-gp-clients/m-p/171235#M54192 reaper 2017-08-11T08:29:15Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-to-gp-clients/m-p/171295#M54217 <P>Hi,</P><P>&nbsp;</P><P>Thansk for reply</P><P>&nbsp;</P><P>we dont have more time to troubleshoot this issue as lots of users are complaining about DNS resolution. Hence we revert back to old configurations which is resolving all queries in internal server.</P><P>&nbsp;</P><P>From the users machine, we are getting the dns timed out in nslookup and in firewall queries are sent from dns proxy ip to external servers and less queries to internal servers. yet to collect the logs, Just posted here to check for alternative solution.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 11 Aug 2017 16:12:35 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-to-gp-clients/m-p/171295#M54217 Javith_Ali 2017-08-11T16:12:35Z https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-to-gp-clients/m-p/171321#M54221 Outside of the box, you could set up a bind server in dmz in caching mode, set your internal domains as forwarded to internal server, everything else as forwarded to internet dns Fri, 11 Aug 2017 18:27:25 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-proxy-to-gp-clients/m-p/171321#M54221 reaper 2017-08-11T18:27:25Z