DNS query responds with only one IP to client PC when connected through NetScaler Gateway Full VPN.

Symptoms or Error

If nslookup command is run from?? windows command prompt of a client PC connected through?? NetScaler Gateway with full VPN, split tunnel set as "OFF" and DNS configured as “Remote" then the output of the command returns only one back-end server IP.?? When connected to other full VPN, nslookup output returns approximately 10 back-end server IPs.

If the back-end server IP returned by NetScaler is down or unresponsive then the user is unable to access the resources. Ideally when the client is trying to reach the IP which is down/unresponsive the client will try another IP however in this case the request will fail because the NetScaler Gateway provides only one IP.


To resolve this issue run the following commands from NetScaler shell prompt:
root@ns# echo “/netscaler/nsapimgr -ys enable_vpn_dns_override=1” >> /nsconfig/rc.netscaler
root@ns# echo “/netscaler/nsapimgr -ys enable_vpn_dnstruncate_fix=1” >> /nsconfig/rc.netscaler

Problem Cause

In current DNS handling, NetScaler Gateway plugin sends a “GET/DNS” request for DNS (or WINS) lookup. When NetScaler receives such a request, it creates an actual DNS packet and sends it to the DNS server configured on NetScaler.

When?? NetScaler receives the response from the DNS server, it sends a resolved IP to NetScaler Gateway plugin and plugin in turn will send this to the requested application. Therefore, whenever there is a DNS lookup, because of the preceding design you will receive only one IP.??

NetScaler provides two nsapimgr knobs (mentioned in additional resources section) for controlling this behavior. If you configure these knobs on NetScaler, NetScaler Gateway plugin sends DNS query packets transparently to configured DNS server and DNS response is also received transparently.

Additional Resources

nsapimgr -ys enable_vpn_dns_override=1
This flag is sent to the NetScaler Gateway VPN client along with the other configuration parameters. Without this flag, when the VPN client intercepts a DNS/WINS request, it sends a corresponding "GET /DNS" http-request to the NetScaler Gateway virtual server over the tunnel in order to get the resolved IP. However, if the ‘enable_vpn_dnstruncate_fix’ flag is set, vpn client forwards the DNS/WINS requests transparently to the NetScaler Gateway virtual server. What this means is, the DNS packet would be sent as is to the NetScaler Gateway virtual server over the vpn tunnel. This helps in cases when the DNS records coming back from the name servers configured in the NetScaler Gateway are huge and do not fit in the UPD response packet. In this case, when the client falls back to using TCP-DNS, this TCP-DNS packet will reach as is to the NetScaler Gateway server, and hence the NetScaler Gateway server will make a TCP-DNS query to a DNS server.
nsapimgr -ys enable_vpn_dnstruncate_fix=1This flag is used by NetScaler Gateway?? server itself. If this flag is set, NetScaler Gateway?? overrides destination for the “TCP-connections on DNS-port” to the DNS-servers configured on NetScaler Gateway?? (instead of trying to send them to the DNS-server-IP originally present in the incoming TCP-DNS packet). For UDP DNS requests, the default itself is to use the configured DNS servers for DNS resolution.

Applicable Products


Join the conversation

Citrix Discussions

Open a case

Citrix Support