DNS suffix not applying

Reply
L2 Linker

DNS suffix not applying

Hello,

  

 I have deployed a GlobalProtect gateway in an office that uses a different domain than our own.  To that end, I have added their dns suffix to the gateway but when I connect onto that gateway, the suffix is never appended.  I cannot access their domain resources unless I use FQDN.  In the logs, I see the config being sent and it does include the DNS suffix so I'm not sure why it won't be appended?  

 

Thanks. 

L7 Applicator

are you applying this suffix in the gateway global config or in the client configuration settings.

 

It only seems to work for us if we add it to the global gateway setting for network services,  we just seperate with a comma.

 

 

 

L7 Applicator

Also,,,]

 

not sure where you are seeing the info sent but the GP logs are showing this...

 

when i add fred.com to gateway settings..

 

</dns>

<wins>

</wins>

<dns-suffix>

<member>fred.com</member>

</dns-suffix>

 

when i add fred.com to client settings

 

</dns>

<wins>

</wins>

<dns-suffix>

</dns-suffix>

 

seems to be not working and dns reverts to local suffix prior to VPN connection.

 

 

L2 Linker

Hi,

 

 I have added the DNS suffix under Gateway-->Agent-->Network Services.  And I see the same thing in the log that you posted, the DNS suffix shows as being processed, but when that DNS suffix does not show up ipconfig or in the adapter settings for GlobalProtect and when I try and contact by hostname only FQDN works.  So it's as though the config for DNS suffix is processed but never actually applied as far as I can see.

L7 Applicator

I also see no suffix in the ipconfig setting but wireshark port 53 showed that the suffix was added for DNS,

L2 Linker

When I do a ping hostname and look in wireshark, I see the DNS request to the proper DNS server but it uses the DNS suffix from the local machine (there are actually two and it tries both), not the DNS that should be applied via GlobalProtect.  

L7 Applicator

Hmmm...    yes thats correct...  but would that matter.... i suppose the only issue would be if you had servers with the same name on different domains...    apart from that, as long as it resolves would it really matter?  works ok for me....  perhaps you are having other issues with this.

L7 Applicator

this id comment from PAN.

 

"This is expected behavior as the DNS suffix is just a linear list of suffixes to search, and is not adapter dependent."

 

so it's not supposed to reconfigure the adapter, just add a search suffix. 

L2 Linker

I had read that as well... but unfortunately, it doesn't seem to be adding the suffix.  

 

It's not resolving properly.  So, my laptop is in domain A and receives DNS suffix for domain A and domain B.  GlobalProtect has a DNS suffix for domain C.  So when I connect to the GP gateway, I want to be able to resolve hostnames for domain C without FQDN but when I ping hostname, Wireshark shows DNS is trying hostname.domain A and hostname.domain B (which fails because the hostname is only in domain C) and then returns that the host can't be found.   

L7 Applicator

Oh i see....     so where exactly are you getting domain B suffix from, is that set on the adapter...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!