https://live.paloaltonetworks.com/t5/general-topics/globalprotect-macos-support-for-unscoped-dns-lookups/m-p/203410#M59927 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/78932">@Matt_Heywood</a>,</P><P>If you can't do number 1, and you can't assume number 2; I have no idea how this would actually work without making something like a host entry.&nbsp;</P> Sat, 03 Mar 2018 21:39:08 GMT BPry 2018-03-03T21:39:08Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-macos-support-for-unscoped-dns-lookups/m-p/203368#M59917 <P>I am running Global Protect 4.0.3 and everthing is wokring successfully with Windows Devices. When DNS requests are made for the seach domain "foobar.com" they are directed at the internal DNS Servers defined within the GP Client Configuration and the requests are sent down the tunnel to internal DNS Servers. If it is for any other domain lookup "Google.com" then it uses the locally configured DNS Server on the device and the request goes to the system defined DNS Servers (not through the tunnel).</P><P>&nbsp;</P><P>The issue that I have is regarding GP client on MacOS devices. All requests are sent down the tunnel towards the internal DNS Servers, meaning that "foobar.com" gets resolved correctly, however "google.com" does not get resolved as our internal DNS Servers do not resolve public DNS.</P><P>&nbsp;</P><P>Has anyone else come accross this problem at all and if so, how have people gotten around the issue?</P><P>&nbsp;</P><P>Thanks</P> Fri, 02 Mar 2018 23:59:11 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-macos-support-for-unscoped-dns-lookups/m-p/203368#M59917 Matt_Heywood 2018-03-02T23:59:11Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-macos-support-for-unscoped-dns-lookups/m-p/203380#M59919 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/78932">@Matt_Heywood</a>,</P><P>It there any reason why you couldn't set your internal DNS as the 'secondary' DNS under the GlobalProtect &gt; Gateway &gt; Gateway Configuration &gt; Agent &gt; Network Services' and then setup a public DNS server as the primary.&nbsp;</P><P>This should allow clients to resolve external hosts, and when the primary fails to find your internal servers it should pass it off to the secondary where you would get your expected response.&nbsp;</P><P>It could also be easier to simply setup your internal DNS server so that it&nbsp;<EM>can</EM> resolve public DNS entries. It really isn't that hard and it doesn't really require any additional resources from your DNS server.&nbsp;</P> Sat, 03 Mar 2018 01:07:08 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-macos-support-for-unscoped-dns-lookups/m-p/203380#M59919 BPry 2018-03-03T01:07:08Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-macos-support-for-unscoped-dns-lookups/m-p/203382#M59920 <P>Unfortunately there are two issues.</P><P>&nbsp;</P><P>1: Our internal DNS Servers do not forward onto public DNS (security reasons)</P><P>2: If a client is connecting in, we can't assume that a generic public DNS will be the DNS that they are using. There might be another DNS server that they are using within their network for their own specific DNS configuration</P> Sat, 03 Mar 2018 01:44:09 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-macos-support-for-unscoped-dns-lookups/m-p/203382#M59920 Matt_Heywood 2018-03-03T01:44:09Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-macos-support-for-unscoped-dns-lookups/m-p/203410#M59927 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/78932">@Matt_Heywood</a>,</P><P>If you can't do number 1, and you can't assume number 2; I have no idea how this would actually work without making something like a host entry.&nbsp;</P> Sat, 03 Mar 2018 21:39:08 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-macos-support-for-unscoped-dns-lookups/m-p/203410#M59927 BPry 2018-03-03T21:39:08Z