Windows Client DNS Issue / Defender Smartscreen / PaloAlto GlobalProtect
Hello all,
we have a strange problem with our DNS resolution, which only occur under certain conditions. I will try to explain them.
We are using Windows 10 and 11, partially Active Directory joined or already Azure AD joined. We are using PaloAlto Global Protect as VPN client. This has the option "Resolve All FQDNs Using DNS Servers Assigned by the Tunnel" enabled.
The problem usually occurs when the network has been changed (for example from WiFi to LAN). GlobalProtect is then sometimes in a strange state. We don't know yet if it is connected or not when the problem occurs.
We then get the error message "DNS PROBE FINISHED NXDOMAIN" in the browser.
After a few seconds the page loads. With the browser DEV tools I could see a long DNS query.
We then used Wireshark to analyze the DNS query. The DNS query is sent from the PC to the DNS server and immediately answered correctly. At the same time we analyzed the DNS query with YogaDNS. There we noticed that after each DNS query, a request is sent to a *.smartscreen.microsoft.com address. Only after a few seconds, a new DNS query is sent to our DNS server, which is then answered immediately. Here is a snipped of the YogaDNS Log where you can see whats going on. The DNS Reply takes about 6 Seconds in this case.
The Servers 193.xx.xxx.50 and 193.xx.xxx.51 are our DNS Servers wich are assigned to the Ethernet Card and the GloblaProtect Interface.
[07.25 13:47:09] admx.help - request : type=A, id=52522, server=193.xx.xxx.50:53, program=svchost.exe, pid=2876
[07.25 13:47:09] admx.help - bypass : rule=Default
[07.25 13:47:09] admx.help - request : type=A, id=52522, server=193.xx.xxx.51:53, program=svchost.exe, pid=2876
[07.25 13:47:09] admx.help - bypass : rule=Default
[07.25 13:47:09] admx.help - request : type=A, id=52522, server=193.xx.xxx.50:53, program=svchost.exe, pid=2876
[07.25 13:47:09] admx.help - bypass : rule=Default
[07.25 13:47:09] europe.smartscreen.microsoft.com - request : type=A, id=46126, server=193.xx.xxx.50:53, program=svchost.exe, pid=2876
[07.25 13:47:09] europe.smartscreen.microsoft.com - bypass : rule=Default
[07.25 13:47:09] europe.smartscreen.microsoft.com - request : type=A, id=46126, server=193.xx.xxx.51:53, program=svchost.exe, pid=2876
[07.25 13:47:09] europe.smartscreen.microsoft.com - bypass : rule=Default
[07.25 13:47:09] europe.smartscreen.microsoft.com - request : type=A, id=46126, server=193.xx.xxx.50:53, program=svchost.exe, pid=2876
[07.25 13:47:09] europe.smartscreen.microsoft.com - bypass : rule=Default
[07.25 13:47:09] europe.smartscreen.microsoft.com - reply (direct) : type=A, id=46126, ips=20.82.250.189
[07.25 13:47:09] google.com - request : type=A, id=41971, server=193.xx.xxx.50:53, program=msedge.exe, pid=17128
[07.25 13:47:09] google.com - bypass : rule=Default
[07.25 13:47:09] google.com - request : type=A, id=62438, server=8.8.8.8:53, program=msedge.exe, pid=17128
[07.25 13:47:09] google.com - bypass : rule=Default
[07.25 13:47:09] google.com - reply (direct) : type=A, id=41971, ips=172.217.16.78
[07.25 13:47:10] europe.smartscreen-prod.microsoft.com - request : type=A, id=7657, server=193.xx.xxx.50:53, program=svchost.exe, pid=2876
[07.25 13:47:10] europe.smartscreen-prod.microsoft.com - bypass : rule=Default
[07.25 13:47:10] europe.smartscreen-prod.microsoft.com - reply (direct) : type=A, id=7657, ips=20.82.250.189
[07.25 13:47:15] admx.help - request : type=A, id=47452, server=193.xx.xxx.50:53, program=svchost.exe, pid=2876
[07.25 13:47:15] admx.help - bypass : rule=Default
[07.25 13:47:15] admx.help - reply (direct) : type=A, id=47452, ips=188.114.96.4, 188.114.97.4
I suspect a security feature of Microsoft Defender Smartscreen. Our DNS server has a public IP. But is only accessible from our network.
Are there any ideas how I can analyze the problem in more detail or what it could be? It's quite complex, so I need the technet's help on this.
Thanks for any advice!