Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Global Protect: Split DNS - NSLOOKUP & DIG expected behaviour

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Global Protect: Split DNS - NSLOOKUP & DIG expected behaviour

L0 Member

What is the expected NSLOOKUP / DIG behaviour when using Split DNS and attempting to resolve an excluded domain?

 

We are seeing the following:

nslookup excludeddomain.com
Server: dc.domain.local
Address: 10.0.0.10

*** dc.domain.local can't find excludeddomain.com: Non-existent domain

 

Is this expected (obviously it resolves if I tell it to use an external DNS server)?

 

Global Protect debug logs shows it cycles through all the DNS suffixes assigned to the VPN adapter but never moves on to the physical adapter.  In Wireshark we can see the DNS requests being made via the VPN adapter only.

 

If I browse to excludeddomain.com, Global Protect debug logs shows it cycles through all the DNS suffixes assigned to the VPN adapter and then resolves using the physical adapter.  In Wireshark we can see the DNS query is only passed to the physical adapter.

 

We are on PAN OS 9.1.3-h1 and GlobalProtect 5.2.5 

Portal Agent config: Split-Tunnel Option = Both Network and DNS

 

I am just curious to find out if the above is expected behaviour and if so, is there any official Palo documentation where it is advised not to use NSLOOKUP or DIG - similar to CISCO documentation here: Behavioral Differences Regarding DNS Queries and Domain Name Resolution in Different OSs - Cisco - where they state:

 

Note: Avoid the use of the NSLookup when you test the name resolution on the client. Instead, rely on a browser or use the ping command. This is because NSLookup does not rely on the OS DNS resolver. AnyConnect does not force the DNS request via a certain interface but allows it or rejects it dependent upon the split DNS configuration. In order to force the DNS resolver to try an acceptable DNS server for a request, it is important that split DNS testing is only performed with applications that rely on the native DNS resolver for domain name resolution (all applications except NSLookup, Dig, and similar applications that handle DNS resolution by themselves, for example).

 

 

 

1 accepted solution

Accepted Solutions

L7 Applicator

Hi @cg7201 

Yes this is expected behavior, not that i know of any documentation to confirm this but the same happens for me when using split DNS.

 

It has never caused any issues and am  seeing same results as you..

 

 

Wireshark....

from nslookup the search suffix of the VPN is added immediately, it never tries without it hence unresolvable...

from browser i only see the entered domain name with no suffix added.   and it resolves locally without any issues.

 

The AnyConnect explanation makes sense here...

View solution in original post

2 REPLIES 2

L7 Applicator

Hi @cg7201 

Yes this is expected behavior, not that i know of any documentation to confirm this but the same happens for me when using split DNS.

 

It has never caused any issues and am  seeing same results as you..

 

 

Wireshark....

from nslookup the search suffix of the VPN is added immediately, it never tries without it hence unresolvable...

from browser i only see the entered domain name with no suffix added.   and it resolves locally without any issues.

 

The AnyConnect explanation makes sense here...

Thanks @Mick_Ball - I did think that this was the case.  Thanks for taking the time to to test and confirm.

  • 1 accepted solution
  • 4841 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!