04-20-2021 11:39 PM
GlobalProtect Gateway is being used, and all traffic is being routed to the firewall except for some network.
DNS lookup takes a long time when I input the domain (website which not in the PC DNS table) that the browser accesses first while connected to a VPN
- DNS Lookup time takes about 5-10 seconds
The DNS server is using an internal server, and the network is belong to split tunneling exceptions.
I am wondering why DNS lookup processing is delayed.
Or is it correct that DNS lookup takes a long time during VPN connection?
04-23-2021 01:26 AM
If you are using wireshark then what happens to the packet captures when the DNS replies in summary 3. does it pause or do you see connection attempts to the correct address.
04-25-2021 05:44 PM - edited 04-25-2021 06:54 PM
This packet is a capture of DNS query with nslookup command on PC's origin NIC(not VPN NIC).
The first second query is the result of a query against the DNS suffix, and the last is the correct query result.
The VPN NIC also sends query packets to the internal DNS.
(Packets come into the Paloalto firewall. It doesn't seem to apply to the split-tunneling exception.)
1. Not all queries are requested, but only a few packets request duplicate DNS queries using Origin NICs and VPN NICs.
2. Packets requested by the VPN NIC only have a request and no response.
3. If the DNS lookup in the web browser takes a long time and the web page is displayed normally, the query packet is only sent to the PC NIC, and the packet is not generated from the VPN NIC.
It seems to be because the DNS query is being called concurrently with the PC NIC and VPN NIC.
06-03-2021 07:20 PM
The issue was resolved as follows.
Cause: Querying queries to all NICs that have DNS Lookup enabled, so lookup time increases while waiting for results from VPN NIC
Resolution: Register in paloalto registry to run batch script after VPN authentication.
The script content deletes the DNS Server settings of the VPN NIC to set DNS queries to use only the primary NIC of the PC.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!