Ubuntu and PA-200 DHCP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Ubuntu and PA-200 DHCP

L4 Transporter

I'm having a problem with mostly Ubuntu users not being able to resolve DNS. I say mostly because there is at least one Windows user having the same problem. None of the Mac workstations are having the same problem and the majority of the Windows machines work as well.

I have the PA-200 configured with DHCP on the trust interface all users are connecting to. I have DHCP configured with the primary DNS IP, which lives over a VPN tunnel, on our HQ network. The Ubuntu machines look like they are pulling the correct IP addresses but it's not resolving. A ping to the hostname shows an error about being unable to resolve. Pings using the IP address are successful.

Any ideas would be appreciated.

Is there a way to setup DNS on the Palo Alto so the most commonly used hostnames don't need to traverse the VPN tunnel to resolve?

1 accepted solution

Accepted Solutions

It sounds to me like it's NetworkManager being flaky...

Did you know that at least on my distro (OpenSUSE) if you manually edit /etc/resolv.conf it basically causes NetworkManager to "not mess" with /etc/resolv.conf

You have to 'rm /etc/resolv.conf' and then let NetworkManager recreate it on its own before it will manage DNS after that. Have you tried just deleting /etc/resolv.conf and then letting NetworkManager do its thing?

View solution in original post

5 REPLIES 5

L4 Transporter

mario11584 wrote:

Is there a way to setup DNS on the Palo Alto so the most commonly used hostnames don't need to traverse the VPN tunnel to resolve?

I want to say that you could accomplish this part of your question using PA's DNS Proxy feature... PA's DNS proxy will cache requests locally.

Thanks. I was hoping this part of the question would resolve the first part, but it did not. I was wondering if for some reason DNS over the VPN tunnel was causing problems. After setting up DNS proxy static  entries, I set the Ubuntu users DNS to resolve against the firewall. No luck.

It's odd because the Ubuntu machines show the correct DNS IPs but just don't resolve unless we manually configure the resolv.conf file. Super strange.

They did say that they just upgraded to a new release of Ubuntu, I wonder if it's just a bug with Ubuntu and not a problem with the firewall at all.

It sounds to me like it's NetworkManager being flaky...

Did you know that at least on my distro (OpenSUSE) if you manually edit /etc/resolv.conf it basically causes NetworkManager to "not mess" with /etc/resolv.conf

You have to 'rm /etc/resolv.conf' and then let NetworkManager recreate it on its own before it will manage DNS after that. Have you tried just deleting /etc/resolv.conf and then letting NetworkManager do its thing?

The solution was to remove the dnsmasq application from Ubuntu. I'm not sure what it does but it is related to resolv.conf somehow. So, just so others readers know, this was not an issue related to the Palo Alto.

Thanks for the follow-up! It seemed to be something client side to me as well.

And hey, at least now you're caching DNS on your PA

  • 1 accepted solution
  • 3130 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!