SASE Client with DNS server configuration on the SASE GW


Que 1: How to check the DNS server IP configured on the SASE GW when running the nslookup command on the windows machine?

Que 2: How to configure NRPTrules (split DNS) to send DNS traffic through SASE tunnels for configured domains on SASE GW?

Que 3: How to manipulate interface metrics for DNS traffic?



On Windows Command Prompt/PowerShell Ping and Nslookup tool look at the following rules to resolve the hostname before looking at Route Metric.


Note: Route Metric would be looked after DNS resolution

 

1) Nrpt Rules (DNS resolver)


The way the FQDNs are resolved is, it will first lookup NRPT rules then it will be a domain name ( You can use .* or  .*domain.com and then the DNS server) once that is evaluated the interface metric would be checked


To check the NRPT rule on Windows PowerShell


Get-DnsClientNrptRule --->> to get Nrpt rules from PowerShell



2) Interface metric


Once the DnsClientNrptRule is checked and no match is found then it will look into Interface Metric. Interface with a lower metric value would be preferred.


netsh interface ipv4 show interface ---> to check interface metric from Command Prompt

Get-NetIPInterface ---> to check interface metric from PowerShell





Configuring Nrpt rules on the SASE GW


Split DNS can be configured on the Director UI Services > Secure Access > Portal > Gateway > Traffic Steering > DNS Resolver


If you configured the domain, only for those domains, traffic would go inside the tunnel and all other domain traffic would use the local DNS server



Note: Re-registration is required for connecting to the SASE GW to get the changes made on Director GUI


For Eg on the Windows Device:


PS C:\Users\user> Get-DnsClientNrptRule

 

 

 

 

Name                             : {09858BBE-FE9B-4EB0-ABDE-E1F9A37F9F88}

Version                          : 2

Namespace                        : {.domain.com}

IPsecCARestriction               :

DirectAccessDnsServers           :

DirectAccessEnabled              : False

DirectAccessProxyType            :

DirectAccessProxyName            :

DirectAccessQueryIPsecEncryption :

DirectAccessQueryIPsecRequired   :

NameServers                      : {10.48.0.99, 8.8.8.8}

DnsSecEnabled                    : False

DnsSecQueryIPsecEncryption       :

DnsSecQueryIPsecRequired         :

DnsSecValidationRequired         :

NameEncoding                     : Disable

DisplayName                      : VN_Versa-VSPA-SWG

Comment                          :

 

 

Name                             : {7128361B-78A3-4846-81F5-8071BEC9B0B5}

Version                          : 2

Namespace                        : {.corp.domain.com}

IPsecCARestriction               :

DirectAccessDnsServers           :

DirectAccessEnabled              : False

DirectAccessProxyType            :

DirectAccessProxyName            :

DirectAccessQueryIPsecEncryption :

DirectAccessQueryIPsecRequired   :

NameServers                      : {10.48.0.99, 8.8.8.8}

DnsSecEnabled                    : False

DnsSecQueryIPsecEncryption       :

DnsSecQueryIPsecRequired         :

DnsSecValidationRequired         :

NameEncoding                     : Disable

DisplayName                      : VN_Versa-VSPA-SWG

Comment                          :

 

 

 

 

Name                             : {F8E20168-944F-40BC-A02B-77AE6287C3F1}

Version                          : 2

Namespace                        : {.versa-networks.com}

IPsecCARestriction               :

DirectAccessDnsServers           :

DirectAccessEnabled              : False

DirectAccessProxyType            :

DirectAccessProxyName            :

DirectAccessQueryIPsecEncryption :

DirectAccessQueryIPsecRequired   :

NameServers                      : {10.48.0.99, 8.8.8.8}

DnsSecEnabled                    : False

DnsSecQueryIPsecEncryption       :

DnsSecQueryIPsecRequired         :

DnsSecValidationRequired         :

NameEncoding                     : Disable

DisplayName                      : VN_Versa-VSPA-SWG

Comment                          :




Configuring Interface Metric


When the split tunnel is enabled Interface Metric would be 100

 


Check the split tunnel is checked/enable on the SASE Gateway



To make the interface matric lower than 5, uncheck/Disable the split tunnel checkbox on Director GUI Services > Secure Access > Portal > Server > Traffic Steering > Uncheck/Disable Split Tunnel



Once changes are made on the director, re-register the SASE Client


Confirmed the interface metric using the following command


netsh interface ipv4 show interface ---> to check interface metric from Command Prompt

Get-NetIPInterface ---> to check interface metric from PowerShell