AppGate DNS policies use the Name Resolution Policy table (NRPT). "Name Resolution Policy Table" is a feature exclusive to Windows operating systems, allowing administrators to define specific DNS servers for different namespaces, essentially controlling where DNS resolution requests are sent based on the domain name being queried. See https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn593632(v=ws.11). So, when Windows performs DNS name resolution, it checks the NRPT before it sends a DNS query. If a DNS query matches an entry in the NRPT, it is handled according to settings in the table. DNS queries that do not match an NRPT entry are processed by querying the default DNS servers in a normal manner. If DNS has been configured using a DNS Policy then "ipconfig /all" will not show the DNS servers configured by AppGate SDP, instead, there is a useful PowerShell command available to check the settings: "Get-DnsClientNrptPolicy -Effective"
Additionally using nslookup on Windows doesn't use the OS resolver so the NRPT settings are not used. The better solution to getting the true DNS name is to use the ping command to check DNS resolution
ping hostname
or the following DnsClient cmdlet command instead: Resolve-DnsName
Using nslookup with a second argument designating a DNS name server in the command should also generally work. If a DNS name server is omitted then nslookup will use the default dns name server which should not provide accurate data when NRPT/AppGate DNS policies are used.
nslookup hostename (dns server)
Below are links to relevant articles about looking up addresses
Stack Overflow article about NRPT and DNS queries:
Superuser article about nslookup vs ping and resolve dnsname commands:
The remarks section talks about omitting the DNS name server: