- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-24-2013 06:08 AM
I'm having a problem with mostly Ubuntu users not being able to resolve DNS. I say mostly because there is at least one Windows user having the same problem. None of the Mac workstations are having the same problem and the majority of the Windows machines work as well.
I have the PA-200 configured with DHCP on the trust interface all users are connecting to. I have DHCP configured with the primary DNS IP, which lives over a VPN tunnel, on our HQ network. The Ubuntu machines look like they are pulling the correct IP addresses but it's not resolving. A ping to the hostname shows an error about being unable to resolve. Pings using the IP address are successful.
Any ideas would be appreciated.
Is there a way to setup DNS on the Palo Alto so the most commonly used hostnames don't need to traverse the VPN tunnel to resolve?
05-24-2013 07:05 AM
It sounds to me like it's NetworkManager being flaky...
Did you know that at least on my distro (OpenSUSE) if you manually edit /etc/resolv.conf it basically causes NetworkManager to "not mess" with /etc/resolv.conf
You have to 'rm /etc/resolv.conf' and then let NetworkManager recreate it on its own before it will manage DNS after that. Have you tried just deleting /etc/resolv.conf and then letting NetworkManager do its thing?
05-24-2013 06:15 AM
mario11584 wrote:
Is there a way to setup DNS on the Palo Alto so the most commonly used hostnames don't need to traverse the VPN tunnel to resolve?
I want to say that you could accomplish this part of your question using PA's DNS Proxy feature... PA's DNS proxy will cache requests locally.
05-24-2013 07:02 AM
Thanks. I was hoping this part of the question would resolve the first part, but it did not. I was wondering if for some reason DNS over the VPN tunnel was causing problems. After setting up DNS proxy static entries, I set the Ubuntu users DNS to resolve against the firewall. No luck.
It's odd because the Ubuntu machines show the correct DNS IPs but just don't resolve unless we manually configure the resolv.conf file. Super strange.
They did say that they just upgraded to a new release of Ubuntu, I wonder if it's just a bug with Ubuntu and not a problem with the firewall at all.
05-24-2013 07:05 AM
It sounds to me like it's NetworkManager being flaky...
Did you know that at least on my distro (OpenSUSE) if you manually edit /etc/resolv.conf it basically causes NetworkManager to "not mess" with /etc/resolv.conf
You have to 'rm /etc/resolv.conf' and then let NetworkManager recreate it on its own before it will manage DNS after that. Have you tried just deleting /etc/resolv.conf and then letting NetworkManager do its thing?
05-24-2013 02:14 PM
The solution was to remove the dnsmasq application from Ubuntu. I'm not sure what it does but it is related to resolv.conf somehow. So, just so others readers know, this was not an issue related to the Palo Alto.
05-26-2013 06:18 AM
Thanks for the follow-up! It seemed to be something client side to me as well.
And hey, at least now you're caching DNS on your PA
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!