SASE Client with DNS server configuration on the SASE GW
Que 1: How to check the DNS server IP configured on the SASE GW when running the nslookup command on the windows machine?
Que 2: How to configure NRPTrules (split DNS) to send DNS traffic through SASE tunnels for configured domains on SASE GW?
Que 3: How to manipulate interface metrics for DNS traffic?
On Windows Command Prompt/PowerShell Ping and Nslookup tool look at the following rules to resolve the hostname before looking at Route Metric.
Note: Route Metric would be looked after DNS resolution
1) Nrpt Rules (DNS resolver)
The way the FQDNs are resolved is, it will first lookup NRPT rules then it will be a domain name ( You can use .* or .*domain.com and then the DNS server) once that is evaluated the interface metric would be checked
To check the NRPT rule on Windows PowerShell
Get-DnsClientNrptRule --->> to get Nrpt rules from PowerShell
2) Interface metric
Once the DnsClientNrptRule is checked and no match is found then it will look into Interface Metric. Interface with a lower metric value would be preferred.
netsh interface ipv4 show interface ---> to check interface metric from Command Prompt
Get-NetIPInterface ---> to check interface metric from PowerShell
Configuring Nrpt rules on the SASE GW
Split DNS can be configured on the Director UI Services > Secure Access > Portal > Gateway > Traffic Steering > DNS Resolver
If you configured the domain, only for those domains, traffic would go inside the tunnel and all other domain traffic would use the local DNS server
Note: Re-registration is required for connecting to the SASE GW to get the changes made on Director GUI
For Eg on the Windows Device:
PS C:\Users\user> Get-DnsClientNrptRule
Name : {09858BBE-FE9B-4EB0-ABDE-E1F9A37F9F88}
Version : 2
Namespace : {.domain.com}
IPsecCARestriction :
DirectAccessDnsServers :
DirectAccessEnabled : False
DirectAccessProxyType :
DirectAccessProxyName :
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired :
NameServers : {10.48.0.99, 8.8.8.8}
DnsSecEnabled : False
DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired :
DnsSecValidationRequired :
NameEncoding : Disable
DisplayName : VN_Versa-VSPA-SWG
Comment :
Name : {7128361B-78A3-4846-81F5-8071BEC9B0B5}
Version : 2
Namespace : {.corp.domain.com}
IPsecCARestriction :
DirectAccessDnsServers :
DirectAccessEnabled : False
DirectAccessProxyType :
DirectAccessProxyName :
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired :
NameServers : {10.48.0.99, 8.8.8.8}
DnsSecEnabled : False
DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired :
DnsSecValidationRequired :
NameEncoding : Disable
DisplayName : VN_Versa-VSPA-SWG
Comment :
Name : {F8E20168-944F-40BC-A02B-77AE6287C3F1}
Version : 2
Namespace : {.versa-networks.com}
IPsecCARestriction :
DirectAccessDnsServers :
DirectAccessEnabled : False
DirectAccessProxyType :
DirectAccessProxyName :
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired :
NameServers : {10.48.0.99, 8.8.8.8}
DnsSecEnabled : False
DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired :
DnsSecValidationRequired :
NameEncoding : Disable
DisplayName : VN_Versa-VSPA-SWG
Comment :
Configuring Interface Metric
When the split tunnel is enabled Interface Metric would be 100
Check the split tunnel is checked/enable on the SASE Gateway
To make the interface matric lower than 5, uncheck/Disable the split tunnel checkbox on Director GUI Services > Secure Access > Portal > Server > Traffic Steering > Uncheck/Disable Split Tunnel
Once changes are made on the director, re-register the SASE Client
Confirmed the interface metric using the following command
netsh interface ipv4 show interface ---> to check interface metric from Command Prompt
Get-NetIPInterface ---> to check interface metric from PowerShell