Skip to main content

Looking for any information about how to best configure steering for private app access when DNSSEC is enabled on the on prem DNS servers, or if this is even possible. 

 

I have verified my NPA publisher is able to query DNS and get proper RSIG response. However remote clients do not get a valid response from the domain even with the Netskope suggested Active Directory configuration from: Netskope Private Access for Microsoft Active Directory Domain Services - Netskope Knowledge Portal

All nslookups come back as unsecured and Non-authoritative

I am seeing the following error when running nltest /dsgetdc:<mydomain>

Getting DC name failed: Status = 9505 0x2521 DNS_ERROR_UNSECURE_PACKET

The Active directory and DNS are setup according to netskope docs 


Netskope Clients use a concept of rewriting DNS records to a Stub IP (default in CGNAT range 100.64.0.0/10). The concept of intercepting and modifying DNS resource records in itself means Netskope Private Access does not support DNSSEC related resource records and does not have DNSSEC support enabled on the DNS resolver on Netskope Publishers. Hence DNS resource records as they arrive at a client will always be non-authorative since the Publisher has it’s own DNS resolver, and DNSSEC is not enabled and related DNS resource records are not tunneled to the endpoint.


Netskope Clients use a concept of rewriting DNS records to a Stub IP (default in CGNAT range 100.64.0.0/10). The concept of intercepting and modifying DNS resource records in itself means Netskope Private Access does not support DNSSEC related resource records and does not have DNSSEC support enabled on the DNS resolver on Netskope Publishers. Hence DNS resource records as they arrive at a client will always be non-authorative since the Publisher has it’s own DNS resolver, and DNSSEC is not enabled and related DNS resource records are not tunneled to the endpoint.

Would this apply to DoH or DoT as well or would that traffic be tunneled to the endpoint without interruption? 


Would this apply to DoH or DoT as well or would that traffic be tunneled to the endpoint without interruption? 

This has not been validated, theoretically this might work but would require every app definition also to include the real app ip


Reply