I am seeing the following error when running nltest /dsgetdc:<mydomain>
Getting DC name failed: Status = 9505 0x2521 DNS_ERROR_UNSECURE_PACKET
The Active directory and DNS are setup according to netskope docs
Netskope Clients use a concept of rewriting DNS records to a Stub IP (default in CGNAT range 100.64.0.0/10). The concept of intercepting and modifying DNS resource records in itself means Netskope Private Access does not support DNSSEC related resource records and does not have DNSSEC support enabled on the DNS resolver on Netskope Publishers. Hence DNS resource records as they arrive at a client will always be non-authorative since the Publisher has it’s own DNS resolver, and DNSSEC is not enabled and related DNS resource records are not tunneled to the endpoint.
Netskope Clients use a concept of rewriting DNS records to a Stub IP (default in CGNAT range 100.64.0.0/10). The concept of intercepting and modifying DNS resource records in itself means Netskope Private Access does not support DNSSEC related resource records and does not have DNSSEC support enabled on the DNS resolver on Netskope Publishers. Hence DNS resource records as they arrive at a client will always be non-authorative since the Publisher has it’s own DNS resolver, and DNSSEC is not enabled and related DNS resource records are not tunneled to the endpoint.
Would this apply to DoH or DoT as well or would that traffic be tunneled to the endpoint without interruption?
Would this apply to DoH or DoT as well or would that traffic be tunneled to the endpoint without interruption?
This has not been validated, theoretically this might work but would require every app definition also to include the real app ip