KB44472 - FQDN split tunneling does not properly honoring the configured Allow or Deny policies with Pulse Desktop Client

This article describes an issue where FQDN split tunneling policies are not properly honoring the configured allow or deny policies with Pulse Desktop Client.

When FQDN split tunneling is configured, the Pulse Desktop Client will intercept and evaluate the A records in the DNS response to determine if a policy is configured.  In some scenario, the DNS response is evaluated, but does not properly understand the response.  This will lead to unexpected behaviors where the incorrect behavior is applied to certain DNS responses.

For example, if an allow policy is configured for a specific FQDN, then the DNS response is not properly evaluated and will be sent outside the tunnel.  If a deny policy is configured for a specific FQDN, then the DNS response is not properly evaluated and will be sent through the tunnel.

This issue occurs due to an issue with the Pulse Desktop Client is not evaluating non-compressed DNS responses.  This will depend on how the DNS server is configured for the VPN Tunnel, but these are common scenarios:

1. DNS server is responding to a DNS request with multiple A records.  This issue does not occur when only one (1) A record is included in the response.
2. DNS server is configured to not compress DNS responses

To confirm if the DNS server is not compressing DNS responses, perform the following steps:

1. Using Wireshark, take a tcpdump on the virtual adapter on the client machine
2. Using the filter field, enter dns.qry.name == "<fqdn name>" (i.e. dns.qry.name == "office365.com") to find the problem fully qualified domain name (FQDN)

3. Under Answer section, select the first A record response, right-click and select Show Packet Bytes

4. Confirm the number of bytes (i.e. 29 bytes)

5. Select the second A record response, right-click and select Show Packet Bytes
6. Confirm the number of bytes (i.e. 16 bytes)

If the additional A record responses are smaller than the first, this would confirm the DNS response packet is not compressed as all A records should be the same number of bytes.  Due to this fact, the Pulse Desktop Client is evaluating the first byte and not evaluating the DNS response.

As of May 16th 2020, Pulse Desktop Client does not properly handle non-compressed DNS packets and the tentative schedule (June 2020) is to resolved this issue in Pulse Desktop Client 9.1R7 (PRS-390306).
 

Workaround:

1. Use a DNS server that does compress DNS responses
2. Use IP-based split tunneling instead of FQDN split tunneling