topic Re: AnyConnect MAC OSX exclude/include DNS not working in Network Security

AnyConnect MAC OSX exclude/include DNS not working

the-lebowski — Thu, 10 Jul 2025 20:16:55 GMT

I am trying to get this working to no avail. Whether I exclude the domain I want to resolve locally or include the domain I want to resolve through the tunnel the client sends all requests through the tunnel. I am specifying a DNS server on the group policy, 100.64.64.64 and it appears that regardless of whatever domain I try to dig 100.64.64.64 is always the responder. When I split exclude the users local DNS should be giving the answer but it isn't. "Send All DNS lookups through the tunnel" is set to no and I can see the domains on the include/exclude via AnyConnect client when either attribute is applied to that GP. But neither work to send a specific domain locally or a specific domain through the tunnel. All DNS is still being sent through the tunnel no matter what.

Any idea why this is?

group-policy test-GP attributes
 dns-server value 100.64.64.64
 vpn-idle-timeout 240
 vpn-session-timeout 840
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value tunnel-networks
 client-bypass-protocol enable
 msie-proxy lockdown disable
 anyconnect-custom dynamic-split-include-domains value inside-domain

anyconnect-custom-attr dynamic-split-exclude-domains description dynamic dns split tunneling
anyconnect-custom-attr dynamic-split-include-domains description dynamic include tunneling\n

anyconnect-custom-data dynamic-split-exclude-domains outside-domain outside.test.com
anyconnect-custom-data dynamic-split-include-domains inside-domain inside.test.com

Re: AnyConnect MAC OSX exclude/include DNS not working

MHM Cisco World — Thu, 10 Jul 2025 20:18:34 GMT

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116016-technote-AnyConnect-00.html

Not all OS behaive same for DNS

Check this link

MHM

Re: AnyConnect MAC OSX exclude/include DNS not working

the-lebowski — Thu, 10 Jul 2025 20:23:36 GMT

I saw that link but not clear on how that helps, Its MAC OSX v4 only...and I think this section applies? Only using v4 and no v6 configured anywhere. If so it should work but it doesn't. I am really just trying to send a single domain across the tunnel and allow everything else to resolve locally. Can I do that with AC and OSX?

Split-DNS (tunnel-all DNS disabled, split-include configured) If split-DNS is enabled for both IP protocols (IPv4 and IPv6) or it is only enabled for one protocol and there is no address pool configured for the other protocol: True split-DNS, similar to Windows, is enforced. True split-DNS means that request which matches with the split-DNS domains are only resolved via the tunnel, they are not leaked to DNS servers outside the tunnel.

Re: AnyConnect MAC OSX exclude/include DNS not working

MHM Cisco World — Thu, 10 Jul 2025 21:20:37 GMT

Hi friend

The config you share in your real post is for dynamic split traffic not split dns

For split dns you need such as below

group-policy MY-GP internal
group-policy MY-GP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MY_ACL
split-dns value company.local internal.company
dns-server value 10.1.1.1 10.2.2.2

The ACL of split must inlcude the internal dns server IP

Here your Mac OS will send to resolve this internal.company via internal DNS server

MHM

Re: AnyConnect MAC OSX exclude/include DNS not working

the-lebowski — Fri, 11 Jul 2025 22:31:09 GMT

group-policy DNS-GP attributes dns-server value 100.64.64.64 100.64.64.65 vpn-idle-timeout 240 vpn-session-timeout 840 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value Tunnel-VPN split-dns value inside.test.com split-tunnel-all-dns disable client-bypass-protocol enable msie-proxy lockdown disable

That should do it or nah?

Re: AnyConnect MAC OSX exclude/include DNS not working

MHM Cisco World — Sat, 12 Jul 2025 12:17:01 GMT

correct

the domain inside.test.com must resolve by internal DNS server

MHM

Re: AnyConnect MAC OSX exclude/include DNS not working

wajidhassan — Sat, 12 Jul 2025 16:42:25 GMT

Hi @the-lebowski ,

It sounds like the DNS split tunneling isn’t working as expected on your Mac. A few things to double-check:

Make sure “Send All DNS Lookups Through the Tunnel” is set to No everywhere (group policy and profile).
Confirm your split DNS domains are correctly set and pushed in the AnyConnect profile.
macOS can be tricky with DNS caching—try flushing the DNS cache or rebooting the device.
Also, check if the DNS server (100.64.64.64) is reachable and responding properly.

Split DNS on Mac can be a bit finicky, so testing on a Windows client might help narrow down the issue.

Hope this helps!

Re: AnyConnect MAC OSX exclude/include DNS not working

the-lebowski — Mon, 14 Jul 2025 14:58:03 GMT

Ok, I think this fixed it.

Thanks for your help.