This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

DNS proxy to GP clients

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DNS proxy to GP clients

Javith_Ali
L2 Linker

‎08-11-2017 12:22 AM - edited ‎08-11-2017 12:24 AM

DNS configured in GP settings: Primary DNS 10.250.1.1, secondary DNS 10.250.1.2

 

Access route: split tunnel- 10.250.0.0/16 allowed in GP.

 

Once clients are connected to globalprotect, they are getting the above DNS settings. so the traffic going to internet also resolving in above Internal DNS server.

 

Now i have the requirement for GP users, when traffic going to internet, it should resolve using public DNS say 8.8.8.8 or 4.2.2.2

and the traffic going to 10.250.0.0/16 to GP tunnel should resolve to DNS 10.250.1.1, secondary DNS 10.250.1.2.

 

I have configured as per below KB for fulfil the above requirement. its working fine, some of the users complain about internal DNS server issue for GP connected internal sites sometimes. However internet traffic resolution working fine. so we have removed this config

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Proxy-for-GlobalPro...

 

Kindly suggest if there is any workaround for this requirement

 

 

0 Likes Likes
3 REPLIES 3

reaper
Cyber Elite
Cyber Elite

‎08-11-2017 01:29 AM

Have you been able to troubleshoot the user's complaints? using the DNS proxy configuration should be the method to accomplish this requirement

 

how did you configure it exactly?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

Javith_Ali
L2 Linker
In response to reaper

‎08-11-2017 09:12 AM

Hi,

 

Thansk for reply

 

we dont have more time to troubleshoot this issue as lots of users are complaining about DNS resolution. Hence we revert back to old configurations which is resolving all queries in internal server.

 

From the users machine, we are getting the dns timed out in nslookup and in firewall queries are sent from dns proxy ip to external servers and less queries to internal servers. yet to collect the logs, Just posted here to check for alternative solution.

 

 

 

 

 

 

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to Javith_Ali

‎08-11-2017 11:27 AM

Outside of the box, you could set up a bind server in dmz in caching mode, set your internal domains as forwarded to internal server, everything else as forwarded to internet dns
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes
  • 3227 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks