DNS suffix not applying

Showing results for 
Show  only  | Search instead for 
Did you mean: 

DNS suffix not applying

L2 Linker



 I have deployed a GlobalProtect gateway in an office that uses a different domain than our own.  To that end, I have added their dns suffix to the gateway but when I connect onto that gateway, the suffix is never appended.  I cannot access their domain resources unless I use FQDN.  In the logs, I see the config being sent and it does include the DNS suffix so I'm not sure why it won't be appended?  




L7 Applicator

are you applying this suffix in the gateway global config or in the client configuration settings.


It only seems to work for us if we add it to the global gateway setting for network services,  we just seperate with a comma.




L7 Applicator



not sure where you are seeing the info sent but the GP logs are showing this...


when i add fred.com to gateway settings..









when i add fred.com to client settings








seems to be not working and dns reverts to local suffix prior to VPN connection.





 I have added the DNS suffix under Gateway-->Agent-->Network Services.  And I see the same thing in the log that you posted, the DNS suffix shows as being processed, but when that DNS suffix does not show up ipconfig or in the adapter settings for GlobalProtect and when I try and contact by hostname only FQDN works.  So it's as though the config for DNS suffix is processed but never actually applied as far as I can see.

I also see no suffix in the ipconfig setting but wireshark port 53 showed that the suffix was added for DNS,

When I do a ping hostname and look in wireshark, I see the DNS request to the proper DNS server but it uses the DNS suffix from the local machine (there are actually two and it tries both), not the DNS that should be applied via GlobalProtect.  

Hmmm...    yes thats correct...  but would that matter.... i suppose the only issue would be if you had servers with the same name on different domains...    apart from that, as long as it resolves would it really matter?  works ok for me....  perhaps you are having other issues with this.

this id comment from PAN.


"This is expected behavior as the DNS suffix is just a linear list of suffixes to search, and is not adapter dependent."


so it's not supposed to reconfigure the adapter, just add a search suffix. 

I had read that as well... but unfortunately, it doesn't seem to be adding the suffix.  


It's not resolving properly.  So, my laptop is in domain A and receives DNS suffix for domain A and domain B.  GlobalProtect has a DNS suffix for domain C.  So when I connect to the GP gateway, I want to be able to resolve hostnames for domain C without FQDN but when I ping hostname, Wireshark shows DNS is trying hostname.domain A and hostname.domain B (which fails because the hostname is only in domain C) and then returns that the host can't be found.   

Oh i see....     so where exactly are you getting domain B suffix from, is that set on the adapter...

DomainA and DomainB DNS suffix are received via GPO.

I have a few local domains on my NIC and have added these additional ones to GP Gateway...




on GP connection my ipconfig /all  shows  




and when i ping elzzzbelzzzz i see this in wireshark




so it does work and i have no idea why it wouldn't work for you....


I am using PAN 9.1.6 and GP 5.2


perhaps GPO takes precedence here..... our suffix is part of the image...

you could try this...


> Run gpedit.msc
> Browse Local Computer Policy
> Computer Configuration
> Administrative Templates -> Network -> DNS Client

Enable "Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries"

Based on what you're showing, it would seem that GPO would indeed take a precedence; which makes the DNS suffix option not useful.  Although, I'm unable to find it anywhere in their documentation that confirms or denies that. 

  • 15 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!