GlobalProtect - MacOS Support for Unscoped DNS Lookups

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect - MacOS Support for Unscoped DNS Lookups

L0 Member

I am running Global Protect 4.0.3 and everthing is wokring successfully with Windows Devices. When DNS requests are made for the seach domain "foobar.com" they are directed at the internal DNS Servers defined within the GP Client Configuration and the requests are sent down the tunnel to internal DNS Servers. If it is for any other domain lookup "Google.com" then it uses the locally configured DNS Server on the device and the request goes to the system defined DNS Servers (not through the tunnel).

 

The issue that I have is regarding GP client on MacOS devices. All requests are sent down the tunnel towards the internal DNS Servers, meaning that "foobar.com" gets resolved correctly, however "google.com" does not get resolved as our internal DNS Servers do not resolve public DNS.

 

Has anyone else come accross this problem at all and if so, how have people gotten around the issue?

 

Thanks

3 REPLIES 3

Cyber Elite
Cyber Elite

@Matt_Heywood,

It there any reason why you couldn't set your internal DNS as the 'secondary' DNS under the GlobalProtect > Gateway > Gateway Configuration > Agent > Network Services' and then setup a public DNS server as the primary. 

This should allow clients to resolve external hosts, and when the primary fails to find your internal servers it should pass it off to the secondary where you would get your expected response. 

It could also be easier to simply setup your internal DNS server so that it can resolve public DNS entries. It really isn't that hard and it doesn't really require any additional resources from your DNS server. 

Unfortunately there are two issues.

 

1: Our internal DNS Servers do not forward onto public DNS (security reasons)

2: If a client is connecting in, we can't assume that a generic public DNS will be the DNS that they are using. There might be another DNS server that they are using within their network for their own specific DNS configuration

@Matt_Heywood,

If you can't do number 1, and you can't assume number 2; I have no idea how this would actually work without making something like a host entry. 

  • 3626 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!