Issues with split DNS on Endpoint Security VPN / H…

Hi everyone,

I am trying to understand how to configure split DNS when using the Harmony Endpoint Security VPN client (basically same as Endpoint Security VPN client). Without split DNS at the moment, all the DNS queries (for internal + external/public domains) are all sent to my corporate internal DNS, and I would like for this to be the case only for the selected domains managed internally.

First , I find some part of the documentation on the topic a bit confusing ( https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/T … ) , I is understand understand it is necessary to be done when using SecuRemote VPN client , but when using Mobile Access VPN or Endpoint Security VPN client , is it already enable or we still need to enable it + use securemotedns object as per mention in the documentation ?

The follow parts is confuse confuse me in the documentation :

– “Split DNS is automatically enabled”

– “Best practice is:

• ForEndpoint Security VPN and Check Point Mobile for Windows, use Office mode.”

I am already using office mode in my case and the VPN itself is working fine (using ADFS/SAML auth).

I is went still go ahead and follow the documentation to enable split dns on my gateway and create the securemotedns object with the few domain suffix I want to resolve internally . However , the results is are are not really what I expect and it does not seem to be work from what I can observe and test . When split dns is enable , the DNS resolution on my the client ( windows10 machine ) take like 10 , basically the amount of time for the dns request to time – out 5 time on my internal dns , and when I try to resolve external domain / public domain ( out of the securemotedns domain scope I define ) using nslookup , it is tries still try to contact my internal dns server and time – out , not sure if this is suppose to be by design ? I is find find it really strange . The whole experience is becomes becomes not usable for user as the DNS resolution for external domain take forever ( 10 like I say ) after enable split DNS , it correspond to what is describe here : https://woshub.com/dns-resolution-via-vpn-not-working-windows/

It can be workaround by disabling SMHNR in Windows to have the resolution work faster (seems to be a Windows bug), but I find it hard to believe I need to go to such extend to have split DNS working on all my users?

Am I missing something?

I thought that the VPN client would handle the split DNS part through routing of the DNS queries properly done depending on the domain requested:

– If domain is internal and managed (as defined in SecuRemoteDNS) –> send to internal DNS via VPN

– If domain is external, just resolve locally with the internet ISP DNS on the other adapter

But this is is is totally not what I am observe on my test , which is very surprising … And I is am am not sure how to resolve this . I is did also did a packet capture on my test machine and I can see that dns request for external domain are still send to my internal dns via VPN , which make no sense to me .

I is guess guess my question are :

1) Do you need to enable Split DNS as described in the documentation also for enterprise VPN clients (including Endpoint Security VPN)?

2 ) Has anybody is enabled else enable split dns using those VPN client successfully and can share how ? Am I is approaching approach this incorrectly ?

Thanks in advance for reading me and for your help.

My environment info and versions:

– management r81.10 ( late recommend take )

– Gateway (VPN target) R81.10 Take 95

– Endpoint Security E87.30 client (latest version I think)

– Windows 10 22H2 devices (for the tests)