https://live.paloaltonetworks.com/t5/general-topics/global-protect-split-dns-nslookup-amp-dig-expected-behaviour/m-p/396515#M91380 <P>Thanks&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9981">@Mick_Ball</a>&nbsp;- I did think that this was the case.&nbsp; Thanks for taking the time to to test and confirm.</P> Thu, 08 Apr 2021 08:25:32 GMT cg7201 2021-04-08T08:25:32Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-split-dns-nslookup-amp-dig-expected-behaviour/m-p/396286#M91353 <P>What is the expected NSLOOKUP / DIG behaviour when using Split DNS and attempting to resolve an excluded domain?</P><P>&nbsp;</P><P>We are seeing the following:</P><P class="lia-indent-padding-left-30px"><EM>nslookup excludeddomain.com</EM><BR /><EM>Server: dc.domain.local</EM><BR /><EM>Address: 10.0.0.10</EM></P><P class="lia-indent-padding-left-30px"><EM>*** dc.domain.local can't find excludeddomain.com: Non-existent domain</EM></P><P>&nbsp;</P><P>Is this expected (obviously it resolves if I tell it to use an external DNS server)?</P><P>&nbsp;</P><P>Global Protect debug logs shows it cycles through all the DNS suffixes assigned to the VPN adapter but never moves on to the physical adapter.&nbsp; In Wireshark we can see the DNS requests being made via the VPN adapter only.</P><P>&nbsp;</P><P>If I browse to&nbsp;<EM>excludeddomain.com,&nbsp;</EM>Global Protect debug logs shows it cycles through all the DNS suffixes assigned to the VPN adapter and then resolves using the physical adapter.&nbsp; In Wireshark we can see the DNS query is only passed to the physical adapter.</P><P>&nbsp;</P><P>We are on PAN OS&nbsp;<SPAN>9.1.3-h1 and GlobalProtect&nbsp;5.2.5&nbsp;</SPAN></P><P><SPAN>Portal Agent config: Split-Tunnel Option = Both Network and DNS</SPAN></P><P>&nbsp;</P><P><SPAN>I am just curious to find out if the above is expected behaviour and if so, is there any official Palo documentation where it is advised not to use NSLOOKUP or DIG - similar to CISCO documentation here:&nbsp;<A href="https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116016-technote-AnyConnect-00.html" target="_blank" rel="noopener">Behavioral Differences Regarding DNS Queries and Domain Name Resolution in Different OSs - Cisco</A> - where they state:</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">Note: Avoid the use of the NSLookup when you test the name resolution on the client. Instead, rely on a browser or use the ping command. This is because NSLookup does not rely on the OS DNS resolver. AnyConnect does not force the DNS request via a certain interface but allows it or rejects it dependent upon the split DNS configuration. In order to force the DNS resolver to try an acceptable DNS server for a request, it is important that split DNS testing is only performed with applications that rely on the native DNS resolver for domain name resolution (all applications except NSLookup, Dig, and similar applications that handle DNS resolution by themselves, for example).</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 07 Apr 2021 11:20:13 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-split-dns-nslookup-amp-dig-expected-behaviour/m-p/396286#M91353 cg7201 2021-04-07T11:20:13Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-split-dns-nslookup-amp-dig-expected-behaviour/m-p/396315#M91359 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/176671">@cg7201</a>&nbsp;</P><P>Yes this is expected behavior, not that i know of any documentation to confirm this but the same happens for me when using split DNS.</P><P>&nbsp;</P><P>It has never caused any issues and am&nbsp; seeing same results as you..</P><P>&nbsp;</P><P>&nbsp;</P><P>Wireshark....</P><P>from nslookup the search suffix of the VPN is added immediately, it never tries without it hence unresolvable...</P><P>from browser i only see the entered domain name with no suffix added.&nbsp; &nbsp;and it resolves locally without any issues.</P><P>&nbsp;</P><P>The AnyConnect explanation makes sense here...</P> Wed, 07 Apr 2021 12:04:41 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-split-dns-nslookup-amp-dig-expected-behaviour/m-p/396315#M91359 Mick_Ball 2021-04-07T12:04:41Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-split-dns-nslookup-amp-dig-expected-behaviour/m-p/396515#M91380 <P>Thanks&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9981">@Mick_Ball</a>&nbsp;- I did think that this was the case.&nbsp; Thanks for taking the time to to test and confirm.</P> Thu, 08 Apr 2021 08:25:32 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-split-dns-nslookup-amp-dig-expected-behaviour/m-p/396515#M91380 cg7201 2021-04-08T08:25:32Z