We need to test MS-Teams. hence I did a few tests with split DNS. The published manuals (e.g. https://live.paloaltonetworks.com/t5/general-articles/globalprotect-optimizing-office-365-traffic/ta...) are fine, as long as the VPN gateway is "near". In our case the user is located in South Africa, and the VPN gateway is in northern Europe. The DNS requests are sent to the DNS server in northern Europe, and the reply does not provide the nearest entry-point into the Microsoft backbone.
To fix that issue, I want to send some DNS requests to the users DNS server in his/her home network. Adding "*.skype.com" to Split Tunnel -> Domain and Application -> Exclude Domain and setting App -> Split-Tunnel Option to "Both Network Traffic and DNS" enabled the function. Unfortunately the experienced time for the DNS resolution will become much higher.
I guess that GP simply blocks the DNS requests for www.skype.com (wireshark didn't show these DNS requests via the GP tunnel), so the client has to wait for the DNS timeout until it asks the local DNS server.
Is this the expected behavior?
I’m not experiencing this on our vpn.
i dont use split dns but just thought i would take a look as was not aware of this setting before reading your post.
perhaps flushdns may show different results as it could be cached... hence wireshark not seeing much...
all seems a bit odd though as when split dns is disabled and access to local net denied i still get the odd local dns request when browsing... strange...
I did a few more tests.
- add a bogus DNS entry (bogus-host.skype.com) to my DNS server (pi-hole)
- verify DNS resolution on the DNS server itself (outside of my GP-controlled notebook)
- apply "ipconfig /flushdns" before every ping request
- ping www.skype.com --> delay of ~12 seconds until ping starts
- ping bogus-host.skype.com --> ping starts without delay
The same happens with another domain. pinging www.something starts after ~12 seconds, other hosts start without any delay.
The issue is gone once I disable GlobalProtect.
I'll raise a ticket w/ Palo Alto and see if there is an explanation for this.
taken a look at this and am getting same results for skype.com....
I have noticed though that as soon as i ping www.skype.com a DNS request and response is seen immediately in wireshark from my local (WiFi) DNS as expected because *.skype.com is in domain exclude and app is set to traffic and DNS.
However.... I have found a few sites that work OK with this setting.... perhaps it may also work for you.
As a test I added *.co.uk to the "split tunnel domain exclude" and then tried both ping and http to surecaresupplies.co.uk and both worked as expected.
It may be caused by the different DNS responses.
but surcaresupplies returns...
So... the return content of the DNS response may be causing GlobalProtect some issues...
GPC-12066 Fixed an issue where, when split tunnel was configured based on the destination domain and Both Network Traffic and DNS was selected, users experienced a delay when accessing the exclusions applied to the DNS traffic and the associated network application traffic for that domain.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!