1. Home
    2. PAN-OS
    3. PAN-OS® New Features Guide
    4. GlobalProtect Features
    5. DNS Query Enhancement

    DNS Query Enhancement

    Software support: GlobalProtect agent 4.0.3 and later releases and PAN-OS with content release 731 or a later release
    OS support: Windows only
    The DNS resolution logic is now enhanced on Windows endpoints to provide better DNS performance. When the GlobalProtect VPN is connected, Windows endpoints send DNS queries to the DNS servers configured on the GlobalProtect gateway. In some cases where the DNS servers configured on the GlobalProtect gateway cannot resolve the DNS query, Windows sends the query to the DNS servers set on the physical adapter. This can result in long wait times to resolve DNS queries. This feature addresses this behavior by preventing Windows from sending DNS queries to the physical adapter when the tunnel is connected thus yielding better DNS performance.
    With this feature, you can now configure the new Resolve All FQDN Using DNS Servers Assigned by Tunnel option in your GlobalProtect portal agent configuration. This option is enabled by default and specifies how the Windows endpoint will resolve DNS queries when the tunnel is connected:
    • When this feature is enabled (set to Yes) and the tunnel is connected, GlobalProtect allows Windows endpoints to send all DNS queries through the tunnel to the DNS servers you configure on the gateway.
    • When this option is disabled (set to No) and the tunnel is connected, GlobalProtect allows Windows endpoints to send DNS queries to the DNS servers on the physical adapter if the gateway-provided DNS server cannot resolve a DNS query or cannot be reached. Note that disabling this option can result in long wait times to resolve some DNS queries.
    This feature does not support DNS over TCP.
    To configure DNS resolution settings:
    1. Configure the GlobalProtect portal.
      Select NetworkGlobalProtectPortals and select the portal configuration for which you want to add a client configuration or Add a new one.
    2. Add or modify an agent configuration.
      1. From the Agent tab, select the agent configuration you want to modify or Add a new one.
      2. Select the App tab.
        dns-resolution-settings.png
    3. Define the DNS resolution preferences when the VPN tunnel is connected on Windows endpoints with GlobalProtect agents 4.0.3 and later.
      Set Resolve All FQDNs Using DNS Servers Assigned by the Tunnel to Yes (default) to enable the GlobalProtect agent to allow the Windows endpoint to resolve all DNS queries with the DNS servers you configure on the gateway instead of allowing Windows to send some DNS queries to the DNS servers set for the physical adapter on the endpoint.
      To retain the native Windows behavior to send DNS queries to the DNS server on the physical adapter if the initial query to the DNS server configured on the gateway is not resolved, set this option to No.
    4. Save your configuration changes.
      1. Click OK twice.
      2. Commit your changes.

    Related Documentation

    Customize the GlobalProtect Agent

    Customize the GlobalProtect Agent The portal agent configuration allows you to customize how your end users interact with the GlobalProtect agents installed on their systems ...

    GlobalProtect Portals Agent App Tab

    GlobalProtect Portals Agent App Tab Select Network GlobalProtect Portals Agent App to specify how end users interact with the GlobalProtect agents installed on their systems. ...

    DNS Overview

    DNS Overview DNS performs a crucial role in enabling user access to network resources so that users need not remember IP addresses and individual computers ...

    DNS Proxy Overview

    DNS Proxy Overview You can configure the firewall to act as a DNS server. First, create a DNS proxy and select the interfaces to which ...

    Multi-Tenant DNS Deployments

    Multi-Tenant DNS Deployments The firewall determines how to handle DNS requests based on where the request originated. An environment where an ISP has multiple tenants ...

    Configure a DNS Proxy Object

    Configure a DNS Proxy Object If your firewall is to act as a DNS proxy, perform this task to configure a DNS Proxy Object . ...

    Network Services Tab

    Network Services Tab Select Network GlobalProtect Gateways Agent Network Services to configure DNS settings that will are assigned to the virtual network adapter on the ...

    IPv6 Router Advertisements for DNS Configuration

    IPv6 Router Advertisements for DNS Configuration The firewall implementation of Neighbor Discovery (ND) is enhanced so that you can provision IPv6 hosts with the Recursive ...

    Network > DNS Proxy

    Network > DNS Proxy DNS servers perform the service of resolving a domain name with an IP address and vice versa. When you configure the ...

    IPv6 Router Advertisement for DNS Configuration

    IPv6 Router Advertisement for DNS Configuration Neighbor Discovery Protocol (NDP) functions for IPv6 in a capacity similar to ARP for IPv4. The firewall implementation of ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo