Reset Search



KB40923 - DNS fails with split tunnel configuration for external sites but works for internal

« Go Back


Last Modified Date11/15/2017 8:28 PM
This article describes the expected behavior when using split tunneling with primary and secondary DNS servers when the internal servers do not resolve external names.
Problem or Goal
When a configured internal DNS server does not resolve external hostnames, and DNS search order is configured to "use device DNS first - then client", users needing to access external resources may not be able to do so because of an inability to resolve the host name of the external resource.  
The behavior of DNS search order differs by client OS, as seen in the Admin GUI, under Users > Resource Policies > VPN Tunneling > Connection Profiles > (name of the connection profile).  Caveats to the configurable options are presented in the GUI as follows:
  • These settings apply only to systems with split tunneling enabled and do not apply to third-party clients.
  • For Windows 8 clients, selecting either the first or second radio button sends DNS requests to both the server and client's DNS at the same time.
  • Windows 10 will always send the DNS request to the server's DNS first then the client's DNS, so selecting either the first or second radio button always sends the DNS requests to the server's DNS first.
  • OSX does not support sending DNS requests to only the Pulse Secure gateway's DNS. So, for OSX clients, clicking the third radio button will have the same effect as the second button.
  • For Windows Phone and Windows machines running the In-Box VPN client, checking the third radio button sends all DNS requests to only the Pulse Secure gateway's DNS. Having either other button checked causes only DNS requests matching the DNS domains (listed above) to go to the gateway's DNS, and all other requests go to the client's DNS.

In addition to these caveats, for Android Pulse clients, if the DNS server first queried returns NXDOMAIN, which it will do if it is an internal only DNS server and does not resolve anything external, then DNS resolution will stop at this point, rather than going on to query the client-side DNS server.  This is correct behavior as per rfc 1536.

The behavior of how the client handles the NXDOMAIN response is determined by the client OS and not the Pulse client.  Hence the behavior on Android platforms differs from Pulse Desktop on Windows 8, for example.  Different behavior may be seen on different client platforms.  Even different Linux distributions may have differing behavior between them.
If such an issue is encountered, where internal DNS is required to resolve internal resources; but users still need to access external resources while connected via VPN, then it will be necessary to enable the internal DNS server to resolve external resources.
Related Links
Attachment 1 
Created ByNick Christen



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255