split DNS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

split DNS

L4 Transporter

Hello

 

We need to test MS-Teams. hence I did a few tests with split DNS. The published manuals (e.g. https://live.paloaltonetworks.com/t5/general-articles/globalprotect-optimizing-office-365-traffic/ta...) are fine, as long as the VPN gateway is "near". In our case the user is located in South Africa, and the VPN gateway is in northern Europe. The DNS requests are sent to the DNS server in northern Europe, and the reply does not provide the nearest entry-point into the Microsoft backbone.
To fix that issue, I want to send some DNS requests to the users DNS server in his/her home network. Adding "*.skype.com" to Split Tunnel -> Domain and Application -> Exclude Domain and setting App -> Split-Tunnel Option to "Both Network Traffic and DNS" enabled the function. Unfortunately the experienced time for the DNS resolution will become much higher.


"ping www.paloaltonetworks.com" starts immediately
"ping www.skype.com" takes ~12 seconds to start

 

I guess that GP simply blocks the DNS requests for www.skype.com (wireshark didn't show these DNS requests via the GP tunnel), so the client has to wait for the DNS timeout until it asks the local DNS server.
Is this the expected behavior?

 

PAN-OS 9.1.7
GP 5.2.4
Windows 10

5 REPLIES 5

L7 Applicator

I’m not experiencing this on our vpn.

 

i dont use split dns but just thought i would take a look as was not aware of this setting before reading your post.

 

perhaps flushdns may show different results as it could be cached... hence wireshark not seeing much...

 

all seems a bit odd though as when split dns is disabled and access to local net denied i still get the odd local dns request when browsing...  strange...

I did a few more tests.

- add a bogus DNS entry (bogus-host.skype.com) to my DNS server (pi-hole)

- verify DNS resolution on the DNS server itself (outside of my GP-controlled notebook)

- apply "ipconfig /flushdns" before every ping request

  ipconfig /flushdns & ping www.skype.com & ipconfig /flushdns & ping bogus-host.skype.com & ipconfig /flushdns & ping www.skype.com

- ping www.skype.com --> delay of ~12 seconds until ping starts

- ping bogus-host.skype.com --> ping starts without delay

 

The same happens with another domain. pinging www.something starts after ~12 seconds, other hosts start without any delay.

The issue is gone once I disable GlobalProtect.

 

I'll raise a ticket w/ Palo Alto and see if there is an explanation for this.

 taken a look at this and am getting same results for skype.com....

I have noticed though that as soon as i ping www.skype.com a DNS request and response is seen immediately in wireshark from my local (WiFi) DNS as expected because *.skype.com is in domain exclude and app is set to traffic and DNS.

 

However....  I have found a few sites that work OK with this setting....  perhaps it may also work for you.

 

As a test I added *.co.uk  to the "split tunnel domain exclude" and then tried both ping and http to surecaresupplies.co.uk and both worked as expected.

It may be caused by the different DNS responses.

 

skype returns....

skypews.png

 

but surcaresupplies returns...

 

MickBall_0-1609937066983.png

So...   the return content of the DNS response may be causing GlobalProtect some issues...

After upgrading to GP 5.2.5 (guess it's related to GPC-12066) the issue is no longer happening, waiting for confirmation from PA (case is open),

Bingo...

 

GPC-12066 Fixed an issue where, when split tunnel was configured based on the destination domain and Both Network Traffic and DNS was selected, users experienced a delay when accessing the exclusions applied to the DNS traffic and the associated network application traffic for that domain.

  • 3448 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!