DNS proxy to GP clients

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

DNS proxy to GP clients

L2 Linker

DNS configured in GP settings: Primary DNS 10.250.1.1, secondary DNS 10.250.1.2

 

Access route: split tunnel- 10.250.0.0/16 allowed in GP.

 

Once clients are connected to globalprotect, they are getting the above DNS settings. so the traffic going to internet also resolving in above Internal DNS server.

 

Now i have the requirement for GP users, when traffic going to internet, it should resolve using public DNS say 8.8.8.8 or 4.2.2.2

and the traffic going to 10.250.0.0/16 to GP tunnel should resolve to DNS 10.250.1.1, secondary DNS 10.250.1.2.

 

I have configured as per below KB for fulfil the above requirement. its working fine, some of the users complain about internal DNS server issue for GP connected internal sites sometimes. However internet traffic resolution working fine. so we have removed this config

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Proxy-for-GlobalPro...

 

Kindly suggest if there is any workaround for this requirement

 

 

3 REPLIES 3

Cyber Elite
Cyber Elite

Have you been able to troubleshoot the user's complaints? using the DNS proxy configuration should be the method to accomplish this requirement

 

how did you configure it exactly?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi,

 

Thansk for reply

 

we dont have more time to troubleshoot this issue as lots of users are complaining about DNS resolution. Hence we revert back to old configurations which is resolving all queries in internal server.

 

From the users machine, we are getting the dns timed out in nslookup and in firewall queries are sent from dns proxy ip to external servers and less queries to internal servers. yet to collect the logs, Just posted here to check for alternative solution.

 

 

 

 

 

 

Outside of the box, you could set up a bind server in dmz in caching mode, set your internal domains as forwarded to internal server, everything else as forwarded to internet dns
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 2715 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!