As for today NPA on NSClient doesn’t capture DNS requests sent over TCP 53 unless “Publisher DNS” is configured in the Private Application. Netskope is aware of this limitation and we are working to support it in the future.
This means that for the time being for Private Applications that are not configured to use “Publisher DNS”, if the initial DNS resolution is performed over TCP 53, NPA will bypass the DNS resolution resulting on the NPA Application to fail to work.
Despite the general recommendation is to avoid enabling/using DNS over TCP (TCP 53), this often depends on the DNS resolver, and unfortunately certain applications rely on their own DNS resolvers instead of the OS one.
Recently we verified that Microsoft Edge uses an embedded DNS resolver that, even when configured not to use secure DNS (DNS over HTTPS), it still tries to use DNS over TCP if possible, breaking NPA.
In order to ensure Microsoft Edge will use the OS DNS resolver it’s possible to configure locally or through GPO/MDM a specific registry key that disables the use of the embedded DNS resolver:
Path: SOFTWAREPoliciesMicrosoftEdge
Value Name: BuiltInDnsClientEnabled
Value Type: REG_DWORD
Value: 0x00000000
More details here: https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#use-built-in-dns-client