Netskope is not compatible with Google or Cloudflare public DNS servers (220.127.116.11, 18.104.22.168, 22.214.171.124). This is well known and prevents resolution by NPA for all our configured private apps.
Based upon our testing (and trial and error) the following public DNS servers are working with NPA for our users and we must update our fleet of Macs as needed.
Comcast (Xfinity): 126.96.36.199, 188.8.131.52
AT&T: 184.108.40.206, 220.127.116.11
Frontier: 18.104.22.168, 22.214.171.124
Quad9 Public DNS Servers: 126.96.36.199, 188.8.131.52
Fortinet Public DNS servers : 184.108.40.206 , 220.127.116.11
I would like to suggest Netskope maintain a list of known good public DNS servers that work with NPA. This would include updating the list when necessary, due to services not working anymore, etc. In a Work From Home (WFH), traveling, or foreign work force environment, we consistently run into problems with access to private apps due to this issue.
As a final resolution I would like to recommend Netskope deploy and maintain public DNS servers that the NS Client would automatically use, with the option to disable as needed. Thoughts?
That seems very peculiar, especially since the config docs reference opening access through your firewall to the Google DNS servers. Is this just with NPA that you're seeing the issue? If so, where are you doing the resolution, on the client or on the publisher?
We see this with NPA specifically. I have had multiple tickets open for this issue and the fix has always been to switch DNS providers on the Client side, which will over ride network based settings (router)..
Great article, thank you so much for posting it. We also have an issue with name resolution when some of our employees work remotely and use NPA. As we are gradually reducing our VPN usage, the NPA usage is gaining momentum but so are the intermittent DNS issues.
I have an active support case but they haven't yet been able to identify the cause.
You have provided some valuable information. Thank you!
We have identified are issues occur when our clients have IPv6 enabled and they get a Public Routable address (eg. IPv6 address starting with 2001:xxx). This occurs on certain ISP's (in our case Telstra) and when joining a hotspot on an Android phone. Disabling IPv6 on the wifi adapter is resolving the issue. We now need to decide whether or not to disable IPv6 on all laptop wifi adapters or fix on an ad-hoc basis...