DNS Query Enhancement
Software support: GlobalProtect agent 4.0.3 and later releases and PAN-OS with content release 731 or a later release
OS support: Windows only
The DNS resolution logic is now enhanced on Windows endpoints to provide better DNS performance. When the GlobalProtect VPN is connected, Windows endpoints send DNS queries to the DNS servers configured on the GlobalProtect gateway. In some cases where the DNS servers configured on the GlobalProtect gateway cannot resolve the DNS query, Windows sends the query to the DNS servers set on the physical adapter. This can result in long wait times to resolve DNS queries. This feature addresses this behavior by preventing Windows from sending DNS queries to the physical adapter when the tunnel is connected thus yielding better DNS performance.
With this feature, you can now configure the new Resolve All FQDN Using DNS Servers Assigned by Tunnel option in your GlobalProtect portal agent configuration. This option is enabled by default and specifies how the Windows endpoint will resolve DNS queries when the tunnel is connected:
- When this feature is enabled (set to Yes) and the tunnel is connected, GlobalProtect allows Windows endpoints to send all DNS queries through the tunnel to the DNS servers you configure on the gateway.
- When this option is disabled (set to No) and the tunnel is connected, GlobalProtect allows Windows endpoints to send DNS queries to the DNS servers on the physical adapter if the gateway-provided DNS server cannot resolve a DNS query or cannot be reached. Note that disabling this option can result in long wait times to resolve some DNS queries.
This feature does not support DNS over TCP.
To configure DNS resolution settings:
- Selectand select the portal configuration for which you want to add a client configuration orNetworkGlobalProtectPortalsAdda new one.
- Add or modify an agent configuration.
- From theAgenttab, select the agent configuration you want to modify orAdda new one.
- Select theApptab.
- Define the DNS resolution preferences when the VPN tunnel is connected on Windows endpoints with GlobalProtect agents 4.0.3 and later.SetResolve All FQDNs Using DNS Servers Assigned by the TunneltoYes(default) to enable the GlobalProtect agent to allow the Windows endpoint to resolve all DNS queries with the DNS servers you configure on the gateway instead of allowing Windows to send some DNS queries to the DNS servers set for the physical adapter on the endpoint.To retain the native Windows behavior to send DNS queries to the DNS server on the physical adapter if the initial query to the DNS server configured on the gateway is not resolved, set this option toNo.
- Save your configuration changes.
- Commit your changes.