KB20917 - Domain Name Resolution (DNS) lookup fails for Linux Operating Systems when Network Connect (NC) is used and split tunneling is enabled

This article describes the issue of hostname lookup failure on Linux Operating Systems, when split tunneling is enabled for NC.

When NC is configured in split tunnel mode, there are two DNS search order options, which are found under Users > Resource Policies > Network Connect (Pre 7.2)/ VPN Tunneling (7.2 and above) > Connection Profiles > [Profile_name]. The search order options are:
 

• Search client DNS first, then the device

 

• Search the device's DNS servers first, then client

In Windows Operating Systems, you can try to resolve hostnames against both the client DNS and Pulse Connect Secure (PCS) DNS servers; but the above settings will determine which set of DNS servers (PCS or client) will be used first. If DNS resolution fails for the first DNS server, which is configured in the DNS search order option, then you can try the latter.

However, in Linux Operating Systems, all DNS queries go to the SA DNS servers when split tunnel mode is configured for NC; regardless of the configured search order option. So, DNS resolution for public domains will fail; if the SA DNS servers are not able to resolve them.

Note: If you want Network Connect to have a separate DNS configuration from what is configured on the SA (System > Network > Overview), then select the 'Manual DNS Settings' option in the respective Network Connection profile.

This is currently a limitation of the PCS  device. Take this into consideration, if you are deploying the PCS  SSL VPN in a Linux environment.

For example, on a Ubuntu 9.10 machine, the following behavior is observed when split tunnel mode is enabled (irrespective of the DNS search order configured under the NC Profile on the PCS ):
Before launching NC, the resolve.conf has the following entries:
1.1.1.1
2.2.2.2
Implying that all DNS requests would first be sent to server 1.1.1.1 and would fall back to server 2.2.2.2 in the case where server 1.1.1.1 is unreachable for name resolution.

If the PCS  DNS setting under NC profile is:
Primary DNS: 10.10.10.10
Secondary DNS: 20.20.20.20

After launching NC, the resolve.conf would be modified as shown below:
10.10.10.10
20.20.20.20

Implying that all DNS requests would first be sent to the server 10.10.10.10 and would fall back to 20.20.20.20 in the case when the 10.10.10.10 server is unreachable for name resolution.

After disconnecting NC, resolve.conf is restored with the old entries as shown below:
1.1.1.1
2.2.2.2