Reset Search
 

 
Article

KB44565 - IP&FQDN-Split-tunnel-breaks-due-to-DNS-Compression at the end of the Domain name response

Printable View
« Go Back

Information

 
Last Modified Date9/17/2020 10:53 PM
Synopsis

IP&FQDN Split Tunnel Breaks Due to DNS Compression At the End of the Domain Name Response

This article explains the reason why FQDN split tunnel breaks due to DNS Compression at the end of the domain name response.

Problem or Goal
Split tunnel breaks when the DNS responses are compressed at the end of the domain names.
Cause
Definition of compression
In order to reduce the size of messages, the domain system utilizes a compression scheme which eliminates the repetition of domain names in the NAME, QNAME, and RDATA fields. In this scheme, an entire domain name or a list of labels at the end of a domain name is replaced with a pointer to a prior occurrence of the same name.
The pointer takes the form of a two octet sequence:
I) The first two bits are ones. This allows a pointer to be distinguished from a label
II) We compare this field to 0xC0 and decide if it is compressed data or not

According RFC 1035: In order to reduce the size of messages, the domain system utilizes a compression scheme which eliminates the repetition of domain names in a message. In this scheme, an entire domain name or a list of labels at the end of a domain name is replaced with a pointer to a prior occurrence of the same name. 
 
Example:
Open the packet capture and look for the resource which is breaking and going through inside/outside the tunnel, based on the Split Tunnel Policy.

In the below packet capture DNS response, we see that 5 answer records are received.

DNS Response Packet
1. download.microsoft.com: type CNAME, class IN, cname 2-01-4ca6-0004.cdx.cedexis.net
2. 2-01-4ca6-0004.cdx.cedexis.net: type CNAME, class IN, cname main.dl.ms.akadns.net
3. main.dl.ms.akadns.net: type CNAME, class IN, cname download.microsoft.com.edgekey.net
4. download.microsoft.com.edgekey.net: type CNAME, class IN, cname e3673.dscg.akamaiedge.net
5. e3673.dscg.akamaiedge.net: type A, class IN, addr 23.55.248.115


If you click on any one of the answer record, you will receive the answer in a HexaDecimal output.

0000   02 05 85 7f eb 80 02 00 ac 10 24 ea 08 00 45 00
0010   01 04 7e b3 00 00 3c 11 0f 0d 0a c0 14 6f ac 10
0020   24 ea 00 35 ce 42 00 f0 a6 96 95 93 81 80 00 01
0030   00 05 00 00 00 00 08 64 6f 77 6e 6c 6f 61 64 09
0040   6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 01
0050   00 01 08 64 6f 77 6e 6c 6f 61 64 09 6d 69 63 72
0060   6f 73 6f 66 74 c0 1f 00 05 00 01 00 00 0a c5 00
0070   20 0e 32 2d 30 31 2d 34 63 61 36 2d 30 30 30 34
0080   03 63 64 78 07 63 65 64 65 78 69 73 03 6e 65 74
0090   00 c0 47 00 05 00 01 00 00 00 11 00 14 04 6d 61
00a0   69 6e 02 64 6c 02 6d 73 06 61 6b 61 64 6e 73 c0
00b0   62 c0 73 00 05 00 01 00 00 00 82 00 21 08 64 6f
00c0   77 6e 6c 6f 61 64 09 6d 69 63 72 6f 73 6f 66 74
00d0   03 63 6f 6d 07 65 64 67 65 6b 65 79 c0 62 c0 93
00e0   00 05 00 01 00 00 03 80 00 18 05 65 33 36 37 33
00f0   04 64 73 63 67 0a 61 6b 61 6d 61 69 65 64 67 65
0100   c0 62 c0 c0 00 01 00 01 00 00 00 11 00 04 17 37
0110   f8 73

The response names ending with c0 which will be highlighted in red, indicates the DNS responses are compressed at the end of each domain name response.
Solution
This issue is fixed in Pulse Desktop Client in 9.1R8.2 and up.
Related Links
Attachment 1 
Created BySudhakar Damodaran

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255