Mac DNSFilter Agent - Issues with GlobalProtect VPN
My org has reported issues with both DNSFilter 2.20 and 2.3.8 with GlobalProtect VPN (currently on 6.3.3). It affects all our versions of macOS including Tahoe 26.x, Sequoia 15.x and Sonoma 14.x. It is intermittent, occurring about ~40% of the time.
Example: When an on-demand tunnel is established via GlobalProtect, sometimes DNS breaks. Hosts on my LAN (with static IPs and valid PTR records) are not resolvable via nslookup, dig etc, and services like Kerberos fail (cant resolve service records for _kerberos._tcp.sgc.loc SRV). There are 3 options to remediate:
1 "Try again until it works” (Second attempt etc)
2 Reboot.
3 Kill /usr/sbin/mDNSResponder manually via Terminal. (/usr/bin/dscacheutil -flushcache; /usr/bin/killall -HUP mDNSResponder; killall mDNSResponderHelper)
Obviously, end-users aren't satisfied with any of these options. Killing mDNSResponder works every time (pings and lookups instantly start working, and Kerberos tickets are aquired instantly), which leads me to thinking this issue is related to macOS and/or DNSFilter, but only when a GlobalProtect tunnel is established.
Our Palo Alto VPN is configured as a split tunnel, and set up for on-demand (users must invoke a tunnel and authenticate to Entra ID/MFA).
On a side note, we have also noticed issues with reverse-DNS once connected to GlobalProtect too. Ill likely have to open a separate post/case for this unless we can determine if these issues are directly related.
Im going to be performing deep-dives into all of this soon (logging etc), but Im looking for guidance in case this is a known issue. Please advise!
-
Hey Daniel Stranathan, fancy meeting you here! Since Apple doesn’t allow multiple DNS proxies to run at the same time, it makes sense that this started showing up with the v2.2+ agent series. What’s likely happening is that the VPN and the DNSFilter agent are competing for the same port—which would explain why it works sometimes and not others, depending on which service initializes first.
In practice, the viable options tend to be using split tunneling or ensuring the VPN connects after the DNSFilter agent. Palo Alto also has some interoperability guides that may offer helpful configuration ideas. The docs are a bit dated, but there may still be applicable guidance there.
1 -
We are using split-tunnel and our VPN is currently set as on-demand (i.e.; users initiate a IPSEC tunnel manually as needed for traveling users, so we aren't currently using always-on VPN (but may consider it in 2027).
The DNSFilter Mac agent launches at start up. I can see the System Extension ('DNS Proxy') load. So DNSFilter always launches before GlobalProtect VPN tunnels are established.
GlobalProtect has (2) system extensions: 'Transparent Proxy' and a ‘Content filter’. These 2 don't activate until a user establishes a VPN tunnel. GlobalProtect VPN doesn't appear to have a ‘DNS Proxy’ extension (I never configure one anyway), so Im unclear as to how the (2) services would be conflicting. Any insight you have would be helpful. I may have to open a support case with Palo Alto, and Im hoping to get my ducks in a row with DNSFilter first to avoid any finger pointing etc.1 -
Plus one to this post.
We are v2.3.8 with GlobalProtect 6.3.2-525 and we are experiencing similar intermittent failures.
We cannot reliably repro it but there are normally a handful of users affected per day, leading us to disable DNSFilter.
Minetta Gould - It would be helpful if DNSFilter could provide a definitive, clear set of steps to help us collectively get to the bottom of this.
1 -
Thanks for the detailed follow-up—this is really helpful context.
After reviewing this with Engineering, what you’re seeing appears more likely to be a GlobalProtect configuration concern than a DNSFilter issue. On macOS, DNSFilter uses Apple’s DNS Proxy framework and sits earlier in the networking stack. Once GlobalProtect establishes a tunnel and applies its own routing, proxying, or enforcement behavior, edge cases can surface depending on how DNS and traffic are handled.
Because GlobalProtect has a lot of nuance (split tunneling rules, DNS overrides, transparent proxy, content filtering, etc.), we can’t safely provide step-by-step VPN configuration guidance without effectively designing the VPN itself. The best next step is to work with Palo Alto support or the GlobalProtect community as Daniel suggested, framing this as an environment where a third-party DNS proxy (DNSFilter) is already present and functioning as designed.
If you’re able to dig further with Palo Alto and uncover anything useful, we’d really appreciate you circling back here—those findings would be incredibly valuable for other customers running similar macOS + GlobalProtect setups!
1 -
Minetta Gould I'm not asking for configuration guidance, I'm asking for more detailed guidance from DNSFilter on how to effectively troubleshoot the interaction between these products. How, on Mac, do we determine where in the networking stack things are going awry? Providing this _generic_ information to your customers will help us help your community of users.
1 -
JohnH From the DNSFilter side, we can help troubleshoot whether the macOS Roaming Client is behaving as designed and whether DNS traffic is reaching us consistently.
Here’s what we recommend focusing on:
-
Confirm DNSFilter visibility
Check whether queries from an affected device are consistently appearing in the Query Log when the VPN is connected. If queries stop appearing, that’s a strong indicator DNS is being intercepted or rerouted before it reaches DNSFilter. -
Check the block experience
If users see the DNSFilter Unknown page (pictured in this article), that typically points to DNS circumvention rather than a client failure. -
Review known DNS traffic conflicts
Our Help Center sections on DNS Traffic Conflicts and Roaming Client Troubleshooting outline common patterns where other software takes control of DNS. -
Capture diagnostic logs from an impacted device
If behavior looks inconsistent or unexpected from the DNSFilter side, our Support team can review client diagnostics to confirm whether the agent is operating correctly.
If you uncover anything specific in your GlobalProtect investigation that helps explain the interaction, we’d genuinely love for you to share it back here. Those findings are often what help future customers connect the dots faster.
1 -
Confirm DNSFilter visibility
Please sign in to leave a comment.
Comments
6 comments