This issue occurs when PCS does an IPv6 query for the resource host name and an incorrect response is received from the DNS server for IPv6 record query.
Post 8.3, a design change was implemented to support IPv6 via Core access. As per the IPv6 design standards, the client will do an AAAA Resource Record (RR) query ( for IPv6 address) along with an A RR ( for IPv4) to an authoritative DNS server. If the DNS server does not have an AAAA RR for a host name, it is expected to return a response code of 0 ( indicating no error ) and with an empty answer section. Such a response indicates that there is at least one RR of a different type than AAAA for the queried name, and the PCS can then look for A RRs, in other words to fallback to IPv4 response. In the event of any other response, PCS will retry the query multiple times until a failure is determined and resource access fails.
7551 21.635956 x.x.x.x y.y.y.y DNS 74 Standard query 0x5e60 A test.pulsesecurelab.com
7552 21.638325 y.y.y.y x.x.x.x DNS 90 Standard query response 0x5e60 A test.pulsesecurelab.com A z.z.z.z
7553 21.638381 x.x.x.x y.y.y.y DNS 74 Standard query 0xf558 AAAA test.pulsesecurelab.com
7554 21.640771 y.y.y.y x.x.x.x DNS 74 Standard query response 0xf558 Server failure AAAA test.pulsesecurelab.com
We will see an error message in user access or event logs as below :
Reason Cannot resolve DNS
Unable to resolve hostname
For active sync access :
WebRequest Failed : Host: mail.pulsesecurelab.com, Request: /Microsoft-Server-ActiveSync?User=&DeviceId=&DeviceType=iPhone&Cmd=Sync Reason Cannot resolve DNS