1. Home
    2. PAN-OS
    3. PAN-OS® New Features Guide
    4. GlobalProtect Features
    5. DNS Query Enhancement
    End-of-Life (EoL)

    DNS Query Enhancement

    Software support
    : GlobalProtect agent 4.0.3 and later releases and PAN-OS with content release 731 or a later release
    OS support
    : Windows only
    The DNS resolution logic is now enhanced on Windows endpoints to provide better DNS performance. When the GlobalProtect VPN is connected, Windows endpoints send DNS queries to the DNS servers configured on the GlobalProtect gateway. In some cases where the DNS servers configured on the GlobalProtect gateway cannot resolve the DNS query, Windows sends the query to the DNS servers set on the physical adapter. This can result in long wait times to resolve DNS queries. This feature addresses this behavior by preventing Windows from sending DNS queries to the physical adapter when the tunnel is connected thus yielding better DNS performance.
    With this feature, you can now configure the new Resolve All FQDN Using DNS Servers Assigned by Tunnel option in your GlobalProtect portal agent configuration. This option is enabled by default and specifies how the Windows endpoint will resolve DNS queries when the tunnel is connected:
    • When this feature is enabled (set to Yes) and the tunnel is connected, GlobalProtect allows Windows endpoints to send all DNS queries through the tunnel to the DNS servers you configure on the gateway.
    • When this option is disabled (set to No) and the tunnel is connected, GlobalProtect allows Windows endpoints to send DNS queries to the DNS servers on the physical adapter if the gateway-provided DNS server cannot resolve a DNS query or cannot be reached. Note that disabling this option can result in long wait times to resolve some DNS queries.
    This feature does not support DNS over TCP.
    To configure DNS resolution settings:
    1. Select
      Network
      GlobalProtect
      Portals
       and select the portal configuration for which you want to add a client configuration or
      Add
       a new one.
    2. Add or modify an agent configuration.
      1. From the
        Agent
         tab, select the agent configuration you want to modify or
        Add
         a new one.
      2. Select the
        App
         tab.
    3. Define the DNS resolution preferences when the VPN tunnel is connected on Windows endpoints with GlobalProtect agents 4.0.3 and later.
      Set
      Resolve All FQDNs Using DNS Servers Assigned by the Tunnel
       to
      Yes
       (default) to enable the GlobalProtect agent to allow the Windows endpoint to resolve all DNS queries with the DNS servers you configure on the gateway instead of allowing Windows to send some DNS queries to the DNS servers set for the physical adapter on the endpoint.
      To retain the native Windows behavior to send DNS queries to the DNS server on the physical adapter if the initial query to the DNS server configured on the gateway is not resolved, set this option to
      No
      .
    4. Save your configuration changes.
      1. Click
        OK
         twice.
      2. Commit your changes.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo