04-13-2018 08:46 AM - edited 04-13-2018 08:47 AM
I have case open with Palo but was wondering if anyone can verify and get same result as I.
I have 0.0.0.0/0 route towards tunnel.
I have Primary and Secondary DNS servers configured in GP Gateway (Network Services tab).
When I perform nslookup from Windows command prompt then reply comes only if request is sent towards either Primary or Secondary DNS server in GP config.
If I change it to anything else then nslookup will fail. Wireshark packet capture taken in Windows shows as DNS reply came from DNS server with result "No such name..."
Now weird thing is that no requests are logged in firewall. So it seems like Windows GP agent itself is acting as filter and decides what DNS requests are good to pass on and what not 🙂
By the way works fine with MAC client.
04-20-2018 06:43 AM
I have just had a call logged with our team for the same reason, have you had any luck or progress with this.
04-20-2018 06:48 AM
For whatever reason I'm remembering a conversation around this that I can't seem to find anymore, and I'm not sure it wasn't during a call/conference. Essentially it was determined that Palo Alto was dropping any DNS requests to anything besides the DNS servers configured in the agent, and that while it was a only Windows thing for the time being it didn't stretch into the macOS client due to limitations in how the OS works.
I suspect that the response will be that this is expected and is how the agent is supposed to be functioning.
04-20-2018 06:50 AM
OK @BPry, thanks for your reply.
it's not a big deal as using rdp to resolve issue but just wanted to make sure it's not me going nuts!
04-20-2018 07:37 AM
No solution yet.
Yesterday had another screen share with Palo TAC.
03-11-2021 12:57 PM
Does anyone know if they ever fix this? Or shall we rephrase and say it is a "feature request" to unbreak this. Is there a client version that doesn't stop DNS requests. I don't see any mention that the GP clients fakes DNS replies to other servers.
I can understand offering this for security purposes, but let's not keep it secret.
This makes GP client laptops hobbled for network engineers, desktop techs, domain and DNS engineers and many more IT people. For many this is a foolish "feature". It has prevented me from troubleshooting repeatedly.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!