DNS resolution might fail in certain scenarios, intermittently when the number of users is high
ip_err_portalloc_failed  counter is increasing 
 

To avoid this issue and get the behaviour from previous firmware back, we need to execute the following command in the shell of ADC :

nsapimgr_wr.sh -ys enable_vpn_dns_override=0
nsapimgr_wr.sh -ys enable_vpn_dnstruncate_fix=0

Sample Output :

root@ns> shell
root@ns# nsapimgr_wr.sh -ys enable_vpn_dns_override=0
Number of PEs running: 2
Changing enable_vpn_dns_override from 1 to 0 ...  Done.
Changing enable_vpn_dns_override from 1 to 0 ...  Done.
root@ns# nsapimgr_wr.sh -ys enable_vpn_dnstruncate_fix=0
Number of PEs running: 2
Changing enable_vpn_dnstruncate_fix from 0 to 1 ...  Done.
Changing enable_vpn_dnstruncate_fix from 0 to 1 ...  Done.

For these knobs to survive rebooting of ADC, we will have to run the following commands: 

root@ns# echo "nsapimgr_wr.sh -ys enable_vpn_dns_override=0">> /nsconfig/rc.netscaler
root@ns# echo "nsapimgr_wr.sh -ys enable_vpn_dnstruncate_fix=0">> /nsconfig/rc.netscaler

---

Problem Cause

Following flags are set to1 in newer firmware versions :

root@ns# nsapimgr -d allvariables | grep enable_vpn
enable_vpn_dns_override:        1
enable_vpn_dnstruncate_fix:     1

DNS cache is updated only when DNS resolution is done via GET /dns or via local DNS lookups. 
With the above flags set to 1, GET /dns calls are not used and DNS queries are directly sent to Gateway, SNIP sends it to the backend DNS server (configured on Gateway), and in case the number of queries is very high and there is only 1 SNIP configured for DNS network, SNIP ports are exhausted.

https://support.citrix.com/article/CTX200243