Ran into a strange issue with the Instant VPN.
Users are able to connect no problem, and they have IP connectivity to the network through the VPN. When connected to Wireless or Ethernet on the IAP, they are placed into VLAN 13, and they get their IP configuration from the DHCP server on that VLAN as expected.
However, name resolution is failing for internal domains. They are able to contact their DNS server, and when manually running nslookup they are able to successfully query external domains, e.g. google.com. But if they try to query any internal names, such as "host1" or even the FQDN "host1.customer.com", it returns the error "non-existent domain".
If they plug a device directly into VLAN13, they get the same DHCP config & the same DNS server, and it responds correctly.
Is the IAP somehow intercepting DNS queries and responding on behalf of the DNS server?