- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
DNS lookup takes a long time with GP
- LIVEcommunity
- Collaboration
- Discussions
- GlobalProtect Discussions
- DNS lookup takes a long time with GP
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-20-2021 11:39 PM
GlobalProtect Gateway is being used, and all traffic is being routed to the firewall except for some network.
DNS lookup takes a long time when I input the domain (website which not in the PC DNS table) that the browser accesses first while connected to a VPN
- DNS Lookup time takes about 5-10 seconds
The DNS server is using an internal server, and the network is belong to split tunneling exceptions.
I am wondering why DNS lookup processing is delayed.
Or is it correct that DNS lookup takes a long time during VPN connection?
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
06-03-2021 07:20 PM
The issue was resolved as follows.
Cause: Querying queries to all NICs that have DNS Lookup enabled, so lookup time increases while waiting for results from VPN NIC
Resolution: Register in paloalto registry to run batch script after VPN authentication.
The script content deletes the DNS Server settings of the VPN NIC to set DNS queries to use only the primary NIC of the PC.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-21-2021 07:41 AM
Do you also have GP app setting to split tunnel DNS and what GP client version are you using?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-21-2021 05:11 PM
GP Client version is 5.2.6-87(latest)
And Split-Tunnel Option is "Both Network Traffic and DNS" from GP-Portal-Agent-Config-App
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-21-2021 10:10 PM
Try removing that setting from the agent to see if that is the issue.
are you testing with a dns lookup tool/app or in the browser itself.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-21-2021 10:15 PM
That option was initially "Network Traffic Only", but DNS Lookup took a long time, so I switched to "Both Network Traffic and DNS".
The test is being done on my PC, and the DNS cache table is checked with the "ipconfig /displaydns" command.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-22-2021 12:00 AM
are you adding the url in nslookup or just adding it in the browser
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-22-2021 01:27 AM
I do not add additional URL.
For my case, the DNS server belongs to the split tunneling exception, so the dns server is left blank in the gateway-agent-network service configuration.
So DNS uses PC's default DNS settings.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-22-2021 02:14 AM
This does not happen when i do the same.
I have 1 domain in "Domain Split Tunnel" and have left my DNS servers blank in the gateway services and have set both network and DNS in portal app.
as soon as i browse to the website that is in my split tunnel it resolves instantly with my local DNS.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-22-2021 02:21 AM
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-23-2021 01:12 AM - edited 04-23-2021 01:26 AM
As you said, I call the internal DNS server and get the IP right away.
However, the browser notificate that the host is being searched, and the DNS lookup time is very long.
Looking through wireshark during this time, vpc nic are not communicating with the target website.
The chrome/edge browser issue are the same. It doesn't appear to be a browser issue.
In summary
1. vpn connect
2. connect to website domain from browser, connect to internal DNS server from pc default nic
3. get IP from internal DNS server (There seems to be no problem so far.)
4. (vpn nic) The browser is looking for the host, and this is taking a long time.
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
