Cloud SWG: 'DNS_PROBE_FINISHED_NXDOMAIN' error when browsing websites

search cancel

Cloud SWG: 'DNS_PROBE_FINISHED_NXDOMAIN' error when browsing websites

book

Article ID: 173590

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users get a 'DNS_PROBE_FINISHED_NXDOMAIN' error message when they browse the Internet, however, the page does load successfully if you try it several times.

This issue only happens when connected through the WSS Agent (WSSA).

This site can't be reached: DNS_PROBE_FINISHED_NXDOMAIN

Environment

Cloud Secure Web Gateway (Cloud SWG, formerly WSS)

Cause

If the computer prefers IPv6 over IPv4 and if the "Allow IPv6 traffic" option is disabled in the Cloud SWG Portal, then this issue can occur.

NOTE: For stronger security with WSSA, it is recommended that "Allow IPv6 traffic" be DISABLED.

If the computer prefers IPv6, then DNS queries are first attempted with AAAA (IPv6) DNS requests...instead of A (IPv4) DNS queries. And if "Allow IPv6 traffic" is disabled (recommended), then IPv6 DNS queries are blocked...which results in the "NXDOMAIN" error. This is expected behavior.

Resolution

There are a few potential solutions to this issue. And it may require a combination of these to fully resolve the issue:

Update network drivers.
Prefer IPv4 over IPv6 on the client computer.
- Microsoft's article Guidance for configuring IPv6 in Windows for advanced users gives instructions on how to set IPv4 as the preferred protocol.
- This step is useful if you have a requirement to run both the IPv4 and IPv6 network stacks.
Disable IPv6 on the client computer. (NOTE: Microsoft recommends using "Prefer IPv4 over IPv6" instead of fully disabling IPv6)

Additional Information

WSS Agent - IPv6 support

Feedback

thumb_up Yes

thumb_down No