This document provides answers to questions on the differences in how different operations support systems (OSS) handle DNS queries and their affect on domain name resolution with AnyConnect.
Q. What are the differences in the ways different OSS platforms handle DNS queries, and how does that affect domain name resolution with AnyConnect and split or full tunneling?
When you use split-include tunneling, you have three options for DNS:
- Split-DNS — DNS queries that match the domain names configured on the Adaptive Security Appliance (ASA) go through the tunnel, for example, to the DNS servers defined on the ASA, and others do not.
- Tunnel-all-DNS — only DNS traffic to the DNS servers defined on the ASA is allowed. This setting is configured in the group policy.
- Standard DNS — all DNS queries go through the DNS servers defined by the ASA and in the case of a negative response, may also go to the DNS servers configured on the physical adapter.
In all cases, the DNS queries defined to go through the tunnel go to any DNS servers defined on the ASA. In particular, if there are no DNS servers defined on the ASA, then the DNS settings are blank for the tunnel. This also means that, ideally, if you do not have split-DNS defined, then all DNS queries are sent to the DNS server defined by the ASA. However, in reality, the behaviors described in this document can be different, dependent on the operating system.
True Versus Best Effort Split DNS
AnyConnect Release 2.4 supports Split DNS Fallback (best effort split DNS), which is not true split DNS found in the legacy IPSec client. If the request matches a split DNS domain, AnyConnect allows the request to be tunneled in to the ASA. If the server cannot resolve the host name, the DNS resolver continues and sends the same query to the DNS server mapped to the physical interface. On the other hand, if the request does not match any of the split DNS domains, AnyConnect does not tunnel it in to the ASA. Instead, it builds a DNS response so that the DNS resolver falls back and sends the query to the DNS server mapped to the physical interface. That is why this feature is not called split DNS, but DNS fallback for split tunneling. In other words, not only does AnyConnect assure that only requests which target split-DNS domains are tunneled in, it also relies on the client operating system DNS resolver's behavior for host name resolution.
This raises security concerns due to potential private domain name leak. For example, the native DNS client can send a query for a private domain name to a public DNS server, specifically when the VPN DNS name server could not resolve the DNS query.
Refer to bug CSCtn14578, currently resolved on Windows only, as of 3.0.4235. The solution implements true split DNS; it strictly queries the configured domain names that match and are allowed to the VPN DNS servers. All other queries are only allowed to other DNS servers, such as those configured on the physical adapter(s).
"Tunnel all" and "Tunnel all DNS"
When split tunneling is disabled (the tunnel-all configuration), DNS traffic is allowed strictly via the tunnel. Similarly, when the tunnel all DNS configuration, which sends all DNS lookups through the tunnel, is configured in the group policy, along with some sort of split tunneling, DNS traffic is allowed strictly via the tunnel.
This is consistent across platforms, with these caveats on Windows:
When any of tunnel-all or tunnel all DNS is configured, AnyConnect allows DNS traffic strictly to the DNS servers configured on the secure gateway (applied to the VPN adapter). This is a security enhancement implemented along with the previously mentioned true split DNS solution.
If this proves problematic in certain scenarios (for example DNS update/registration requests need to be sent to non-VPN DNS servers), the two-step workaround is:
- If the current configuration is tunnel-all: enable split-exclude tunneling, any bogus one host split-exclude network works, such as a link-local address.
- Ensure tunnel all DNS is not configured in the group policy.
DNS Performance Issue Resolved in AnyConnect 3.0.4325
This Windows-specific issue is mostly prevalent under these conditions:
- Home router setup: this where the DNS and DHCP servers are assigned the same IP address (AnyConnect creates a necessary route to the DHCP server);
- A large number of DNS domains are in the group policy;
- Tunnel-all configuration;
- Name resolution performed by a non-qualified host name, which implies that the resolver needs to try a number of DNS suffixes on all available DNS servers until the one relevant to the queried host name is attempted.
The issue is due to the native DNS client that attempts to send DNS queries via the physical adapter, of which AnyConnect blocks (given the tunnel-all configuration). This leads to a name resolution delay. From customer experience, this delay is sometimes significant, especially for a large number of DNS suffixes pushed by head end, since the DNS client needs to walk through all of them (and all available DNS servers) until it receives a positive response.
However, if an upgrade cannot be implemented, then the possible workarounds are:
- Enable split-exclude tunneling for one bogus IP Address, which allows local DNS requests to flow through the physical adapter. You can use an address from the linklocal subnet 169.254.0.0/16 because it is unlikely that any device sends traffic to one of those IP addresses over the VPN. After you enable the split exclude, remember to enable local LAN access on the client profile or on the client itself, and disable tunnel all DNS. On the ASA, the configuration changes are listed here:
access-list acl_linklocal_169.254.1.1 standard permit host 169.254.1.1
group-policy gp_access-14 attributes
split-tunnel-network-list value acl_linklocal_169.254.1.1
On the client profile, you only need to add this line:
You can also enable this on a per-client basis in the AnyConnect client GUI. Navigate to the AnyConnect Preference menu, and check the Enable local LAN access option.
- Use the fully qualified domain names (FQDNs) instead of the unqualified hostnames for the name resolutions.
- Use a different IP address for the DNS server on the physical interface.
Q. How Does Each Operating System Deal with DNS?
There is a difference in the way different operating systems handle DNS searches when used with split tunneling (without split DNS) for AnyConnect.
On Windows, DNS settings are per-interface. This means that, if split tunneling is used, DNS queries can fall back to the physical adaptor's DNS servers if the query failed on the VPN tunnel adaptor. If split tunneling without split DNS is defined, then both internal and external DNS resolution works because it falls back to the external DNS servers.
In MAC, the DNS settings are global. Thus, if split tunneling is used, but split DNS is not used, it is not possible for DNS queries to go to DNS servers outside of the tunnel. You can only resolve internally, not externally. This is documented in the bugs CSCtf20226 and CSCtz86314. In both cases, this work around should resolve the issue:
- Specify an external DNS server IP address under the group-policy and use FQDN for
internal DNS queries
- If external names are resolvable via the tunnel, disable split DNS by removing the
DNS names configured in the group policy, under Advanced > Split Tunneling.
This requires using FQDN for internal DNS queries.
- The split-DNS case has been resolved in AnyConnect 3.1, with these caveats:
* split-DNS must be enabled for both IP protocols (requires ASA v9.0 or later);
* split-DNS must be enabled for one IP protocol
(if ASA has v9.0 or later: client bypass protocol for the other IP protocol,
for example, no address pool and Client Bypass Protocol enabled in the group policy
if ASA is earlier than v9.0: no address pool configured for the other IP protocol;
this implies that this other IP protocol is IPv6.)
iPhone is the complete opposite of MACs, and it is not the same as Windows. If split tunneling is defined but split DNS is not defined, then DNS queries go out through the global DNS server defined. For example, split DNS domain entries are mandatory for internal resolution. This behavior is documented in bug CSCtq09624 and is fixed in the latest 2.5.4038 version for the iOS AnyConnect client.
- CSCsv34395 - Add support in AnyConnect for proxying the FQDN to DHCP server
- CSCtn14578 - AnyConnect to support true split DNS; not fallback
- CSCtq02141 - AnyConnect DNS issue when ISP DNS is on same subnet as Public IP
- CSCtn14578 - AnyConnect to support true split DNS; not fallback
- CSCtf20226 - Make AnyConnect DNS w/ split tunnel behavior for Mac same as windows
- CSCtz86314 - Mac: DNS queries incorrectly not sent via the tunnel with split-DNS
- CSCtq09624 - Make AnyConnect iPhone DNS w/ split tunneling behavior same as Windows
- CSCts89292 - AC for iPhone DNS queries ignore .local domains
- Cisco IOS Firewall
- Technical Support & Documentation - Cisco Systems
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.