KB16327 - Domain Name Resolution (DNS) lookup fails for Mac OS X when Network Connect or Pulse Secure Desktop client is used and split tunneling is enabled

This article describes an issue where hostname lookup failure on Mac OS X when split tunneling is enabled for Network Connect or Pulse Secure Desktop client.

When Network Connect or Pulse Secure Desktop client is configured in split tunnel mode, there are two DNS search order options.  These options are found under Users > Resource Policies > Network Connect (Pre 7.2)/ VPN Tunneling (7.2 and above) > Connection Profiles > [Profile_name].

• Search client DNS first, then the device
• ​Search the device's DNS servers first, then client

In Windows Operating Systems, DNS resolution is sent using both the client DNS and PCS DNS servers, but the above setting will determine which DNS server (PCS device or client) is sent first.

This issue occurs due to a limitation in Mac OS X.  Mac OS X does not allow DNS requests to be sent both using client and the PCS DNS servers.

This is a limitation of Mac OS X.

 

Due to the limitation from Apple, Pulse Secure recommends the following options:

1. If search client DNS is configured first, all DNS requests will be sent to the client DNS servers; except for DNS requests made to the domains, which are configured on the PCS device. DNS request for domain names configured on the PCS device requests are sent to the PCS device DNS servers.
2. If search Device DNS is configured first, all DNS requests will be sent to the device DNS servers; except for DNS requests made to the domains specified on the client device (if any).

For example,

If the PCS DNS servers are not able to resolve public domains, the recommendation would be to configure Search client DNS first, then device, then specify the DNS Domains on the PCS DNS servers should resolve on the connection profile. This will ensure that the public domains are resolvable by the client DNS servers and the corporate DNS Domains (which are configured on the PCS device DNS service) can be resolved by the PCS device DNS servers.