DNS Query Responds with Only One IP to Client PC When Connected Through Citrix Gateway Full VPN
Article ID: CTX200243
Updated On:
Description
If nslookup command is run from windows command prompt of a client PC connected through Citrix Gateway with full VPN, split tunnel set as "OFF" and DNS configured as “Remote", then the output of the command returns only one back-end server IP. When connected to other full VPN, nslookup output returns approximately 10 back-end server IPs.
If the back-end server IP returned by ADC is down or unresponsive, then the user is unable to access the resources. Ideally, when the client is trying to reach the IP which is down/unresponsive, the client will try another IP. However, in this case the request will fail because the Citrix Gateway provides only one IP.Resolution
To resolve this issue run the following commands from ADC shell prompt:
root@ns> shell
root@ns# nsapimgr_wr.sh -ys enable_vpn_dns_override=1
root@ns# nsapimgr_wr.sh -ys enable_vpn_dnstruncate_fix=1
For these knobs to survive rebooting of ADC, we will have to run the following commands:
root@ns# echo "nsapimgr_wr.sh -ys enable_vpn_dns_override=1">> /nsconfig/rc.netscaler
root@ns# echo "nsapimgr_wr.sh -ys enable_vpn_dnstruncate_fix=1">> /nsconfig/rc.netscaler
Problem Cause
In current DNS handling, Citrix Gateway plugin sends a “GET/DNS” request for DNS (or WINS) lookup. When ADC receives such a request, it creates an actual DNS packet and sends it to the DNS server configured on NetScaler.
When ADC receives the response from the DNS server, it sends a resolved IP to Citrix Gateway plugin and plugin in turn will send this to the requested application. Therefore, whenever there is a DNS lookup, because of the preceding design you will receive only one IP.
ADC provides two nsapimgr knobs (mentioned in additional resources section) for controlling this behavior. If you configure these knobs on ADC, Citrix Gateway plugin sends DNS query packets transparently to configured DNS server and DNS response is also received transparently.
Issue/Introduction
Additional Information
| Command | Description |
| nsapimgr -ys enable_vpn_dns_override=1 | This flag is used by Citrix Gateway server itself. If this flag is set, Citrix Gateway overrides destination for the “TCP-connections on DNS-port” to the DNS-servers configured on Citrix Gateway (instead of trying to send them to the DNS-server-IP, originally present in the incoming TCP-DNS packet). For UDP DNS requests, the default itself is to use the configured DNS servers for DNS resolution. |
| nsapimgr -ys enable_vpn_dnstruncate_fix=1 | This flag is sent to the Citrix Gateway VPN client along with the other configuration parameters. Without this flag, when the VPN client intercepts a DNS/WINS request, it sends a corresponding "GET /DNS" http-request to the Citrix Gateway virtual server over the tunnel in order to get the resolved IP. However, if the ‘enable_vpn_dnstruncate_fix’ flag is set, vpn client forwards the DNS/WINS requests transparently to the Citrix Gateway virtual server. What this means is, the DNS packet would be sent as is to the Citrix Gateway virtual server over the vpn tunnel. This helps in cases when the DNS records coming back from the name servers configured in the Citrix Gateway are huge and do not fit in the UDP response packet. In this case, when the client falls back to using TCP-DNS, this TCP-DNS packet will reach as is to the Citrix Gateway server, and hence the Citrix Gateway server will make a TCP-DNS query to a DNS server |
