The behavior of DNS search order differs by client OS, as seen in the Admin GUI, under Users > Resource Policies > VPN Tunneling > Connection Profiles > (name of the connection profile). Caveats to the configurable options are presented in the GUI as follows:
- These settings apply only to systems with split tunneling enabled and do not apply to third-party clients.
- For Windows 8 clients, selecting either the first or second radio button sends DNS requests to both the server and client's DNS at the same time.
- Windows 10 will always send the DNS request to the server's DNS first then the client's DNS, so selecting either the first or second radio button always sends the DNS requests to the server's DNS first.
- OSX does not support sending DNS requests to only the Pulse Secure gateway's DNS. So, for OSX clients, clicking the third radio button will have the same effect as the second button.
- For Windows Phone and Windows machines running the In-Box VPN client, checking the third radio button sends all DNS requests to only the Pulse Secure gateway's DNS. Having either other button checked causes only DNS requests matching the DNS domains (listed above) to go to the gateway's DNS, and all other requests go to the client's DNS.
In addition to these caveats, for Android Pulse clients, if the DNS server first queried returns NXDOMAIN, which it will do if it is an internal only DNS server and does not resolve anything external, then DNS resolution will stop at this point, rather than going on to query the client-side DNS server. This is correct behavior as per rfc 1536.
The behavior of how the client handles the NXDOMAIN response is determined by the client OS and not the Pulse client. Hence the behavior on Android platforms differs from Pulse Desktop on Windows 8, for example. Different behavior may be seen on different client platforms. Even different Linux distributions may have differing behavior between them.