AppGate DNS policies use the Name Resolution Policy table (NRPT). When Windows performs DNS name resolution, it checks the NRPT before it sends a DNS query. If a DNS query matches an entry in the NRPT, it is handled according to settings in the table. DNS queries that do not match an NRPT entry are processed normally. If DNS has been configured using a DNS Policy then ipconfig /all will not show the DNS servers configured by AppGate SDP, instead, there is a useful Powershell command available to check the settings: Get-DnsClientNrptPolicy -Effective
Additionally using nslookup on Windows doesn't use the OS resolver so the NRPT settings are not used. Due to this we recommend using the ping command to check DNS resolution or the following DnsClient cmdlet command instead: Resolve-DnsName
Using nslookup with a second argument designating a DNS name server in the command should also generally work. If a DNS name server is omitted then nslookup will use the default dns name server which should not provide accurate data when NRPT/AppGate DNS policies are used.
Also, nslookup was not designed to be able to test if a user OS is resolving using the correct server, it is for looking up resolutions against a specific defined server. As other things have progressed and changed nslookup has not been changed to be able to be used with more modern functionality like NRPT where the DnsClient cmdlet command’s are. The DnsClient cmdlet command’s also provide enhanced functionality and more flexible output. For example, nsLookup returns text you need to parse manually, whereas Resolve-DnsName offers an object that can be manipulated using standard PowerShell commands as well as various parameters that allow customization of the DNS queries.
Below are links to relevant articles. In addition we have reached out to Microsoft and requested improved documentation around the use of nslookup with NRPT.
Stack Overflow article about NRPT and DNS queries:
Superuser article about nslookup vs ping and resolve dnsname commands:
The remarks section talks about omitting the DNS name server:
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/nslookup