Windows Client DNS Issue / Defender Smartscreen / PaloAlto GlobalProtect

julianstabentheiner 6 Reputation points
2022-08-11T08:33:54.51+00:00

Hello all,

we have a strange problem with our DNS resolution, which only occur under certain conditions. I will try to explain them.

We are using Windows 10 and 11, partially Active Directory joined or already Azure AD joined. We are using PaloAlto Global Protect as VPN client. This has the option "Resolve All FQDNs Using DNS Servers Assigned by the Tunnel" enabled.

Source: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-new-features/globalprotect-features/dns-query-enhancement

The problem usually occurs when the network has been changed (for example from WiFi to LAN). GlobalProtect is then sometimes in a strange state. We don't know yet if it is connected or not when the problem occurs.
We then get the error message "DNS PROBE FINISHED NXDOMAIN" in the browser.
After a few seconds the page loads. With the browser DEV tools I could see a long DNS query.

We then used Wireshark to analyze the DNS query. The DNS query is sent from the PC to the DNS server and immediately answered correctly. At the same time we analyzed the DNS query with YogaDNS. There we noticed that after each DNS query, a request is sent to a *.smartscreen.microsoft.com address. Only after a few seconds, a new DNS query is sent to our DNS server, which is then answered immediately. Here is a snipped of the YogaDNS Log where you can see whats going on. The DNS Reply takes about 6 Seconds in this case.
The Servers 193.xx.xxx.50 and 193.xx.xxx.51 are our DNS Servers wich are assigned to the Ethernet Card and the GloblaProtect Interface.

[07.25 13:47:09] admx.help - request : type=A, id=52522, server=193.xx.xxx.50:53, program=svchost.exe, pid=2876  
[07.25 13:47:09] admx.help - bypass : rule=Default  
[07.25 13:47:09] admx.help - request : type=A, id=52522, server=193.xx.xxx.51:53, program=svchost.exe, pid=2876  
[07.25 13:47:09] admx.help - bypass : rule=Default  
[07.25 13:47:09] admx.help - request : type=A, id=52522, server=193.xx.xxx.50:53, program=svchost.exe, pid=2876  
[07.25 13:47:09] admx.help - bypass : rule=Default  
[07.25 13:47:09] europe.smartscreen.microsoft.com - request : type=A, id=46126, server=193.xx.xxx.50:53, program=svchost.exe, pid=2876  
[07.25 13:47:09] europe.smartscreen.microsoft.com - bypass : rule=Default  
[07.25 13:47:09] europe.smartscreen.microsoft.com - request : type=A, id=46126, server=193.xx.xxx.51:53, program=svchost.exe, pid=2876  
[07.25 13:47:09] europe.smartscreen.microsoft.com - bypass : rule=Default  
[07.25 13:47:09] europe.smartscreen.microsoft.com - request : type=A, id=46126, server=193.xx.xxx.50:53, program=svchost.exe, pid=2876  
[07.25 13:47:09] europe.smartscreen.microsoft.com - bypass : rule=Default  
[07.25 13:47:09] europe.smartscreen.microsoft.com - reply (direct) : type=A, id=46126, ips=20.82.250.189  
[07.25 13:47:09] google.com - request : type=A, id=41971, server=193.xx.xxx.50:53, program=msedge.exe, pid=17128  
[07.25 13:47:09] google.com - bypass : rule=Default  
[07.25 13:47:09] google.com - request : type=A, id=62438, server=8.8.8.8:53, program=msedge.exe, pid=17128  
[07.25 13:47:09] google.com - bypass : rule=Default  
[07.25 13:47:09] google.com - reply (direct) : type=A, id=41971, ips=172.217.16.78  
[07.25 13:47:10] europe.smartscreen-prod.microsoft.com - request : type=A, id=7657, server=193.xx.xxx.50:53, program=svchost.exe, pid=2876  
[07.25 13:47:10] europe.smartscreen-prod.microsoft.com - bypass : rule=Default  
[07.25 13:47:10] europe.smartscreen-prod.microsoft.com - reply (direct) : type=A, id=7657, ips=20.82.250.189  
[07.25 13:47:15] admx.help - request : type=A, id=47452, server=193.xx.xxx.50:53, program=svchost.exe, pid=2876  
[07.25 13:47:15] admx.help - bypass : rule=Default  
[07.25 13:47:15] admx.help - reply (direct) : type=A, id=47452, ips=188.114.96.4, 188.114.97.4  

I suspect a security feature of Microsoft Defender Smartscreen. Our DNS server has a public IP. But is only accessible from our network.

Are there any ideas how I can analyze the problem in more detail or what it could be? It's quite complex, so I need the technet's help on this.

Thanks for any advice!

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,270 questions
Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,021 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,118 questions
0 comments No comments
{count} vote