topic Re: Split-DNS value not passing to Mac OS X IPSec client in Network Security

Split-DNS value not passing to Mac OS X IPSec client

petersonmd — Fri, 21 Feb 2020 11:31:41 GMT

I have a MacOS X IPSec client that isn't receiving the split-dns setup from my ASA 5505.

Here's the relevant data from my ASA device:

group-policy vpnpolicy attributes

wins-server none

dns-server value 192.168.1.3

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list

default-domain value workdomain1.com

split-dns value workdomain1.com workdomain2.com.local

tunnel-group myvpn type remote-access

tunnel-group myvpn general-attributes

address-pool vpnpool

authentication-server-group vpn

authentication-server-group (inside) vpn

default-group-policy vpnpolicy

The second domain isn't being passed to the client. Here's the resolv.conf before/after IPSec connection:

mark-petersons-macbook-pro:~ peterson$ more /etc/resolv.conf

domain myhomedomain.net

nameserver 68.94.156.1

nameserver 151.164.8.201

/etc/resolv.conf (END)

mark-petersons-macbook-pro:~ peterson$ more /etc/resolv.conf

domain workdomain1.com

search workdomain1.com

nameserver 68.94.156.1

nameserver 151.164.8.201

/etc/resolv.conf (END)

Any ideas what the problem could be?

Re: Split-DNS value not passing to Mac OS X IPSec client

smalkeric — Mon, 29 Jun 2009 20:29:15 GMT

When an ISP's DNS server is included in the Split Tunneling Network List and Split DNS Names are configured, all DNS queries to domains other than those in the Split DNS Names list are not resolved.

By definition, split DNS is used so that only certain domains get resolved by corporate DNS servers, while rest go to public (ISP-assigned) DNS servers. To enforce this feature, the VPN Client directs DNS queries that are about hosts on the Split DNS Names list to corporate DNS servers, and discards all DNS queries that are not part of the Split DNS Names list.

The problem occurs when the ISP-assigned DNS servers are in the range of the Split Tunneling Network List. In that case, all DNS queries for non-split-DNS domains are discarded by the VPN Client.

To avoid this problem, remove the ISP-assigned DNS server from the range of the Split Tunneling Network List, or do not configure split DNS (CSCee66180).

Re: Split-DNS value not passing to Mac OS X IPSec client

petersonmd — Mon, 29 Jun 2009 20:42:01 GMT

I'm not quite sure I understand. My home ISP is assigning me two DNS servers - 69.94.156.1 and 151.164.8.201. My corporate DNS server - as configured by my VPN settings on the ASA - is 192.168.1.3.

There is no overlap between my split-tunnel list and the 2 ISP-assigned DNS servers. The split-tunnel list includes 192.168.1.x, 192.168.2.x, 192.168.10.x, and 192.168.99.x. That's it. The problem is that the second domain that I've specified in my search list isn't being passed on to the client. I've even tried switching the order of the domains - no luck.

Any other suggestions?

Re: Split-DNS value not passing to Mac OS X IPSec client

ajamua — Wed, 28 Oct 2009 19:27:39 GMT

Did you get any solutions for this problem? I am experiencing similar issue trying to configure split-dns for my sslVPN users using anyconnect vpn client version 2.3.2016.

Re: Split-DNS value not passing to Mac OS X IPSec client

fashour — Wed, 04 Nov 2009 21:38:29 GMT

Split dns is not supported on Anyconnect...

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpngrp.html#wp1135689

Re: Split-DNS value not passing to Mac OS X IPSec client

tunderhay — Thu, 05 Nov 2009 21:02:05 GMT

It is now on AnyConnect 2.4. From the release notes:

New Feature Overviews

The following sections describe the new features in Release 2.4:

â€¢Split DNS Fallback

Split DNS Fallback

If the group policy on the security appliance specifies the names of the domains to be tunneled, AnyConnect tunnels only DNS queries that match those domains. It refuses all other DNS queries. The DNS resolver receives the refusal from the client and retries, this time using the public interface instead of AnyConnect.

This feature requires that you:

â€¢Configure at least one DNS server

â€¢Enable split-tunneling

Re: Split-DNS value not passing to Mac OS X IPSec client

Drew T — Wed, 24 Mar 2010 03:30:09 GMT

Seeing a similar issue with AnyConnect 2.4.1012.

Config I have on a IOS device works perfectly on a Windows client, but on a Mac OS X 10.5 client it's not playing ball.

In terminal, I can do a 'host' on a server that resides at the other end of the SSL VPN, but if I try and ping it, it's replying that the host is unknown:

(host names changed)

acid:~ drew$ ping www.internal.server.com

ping: cannot resolve www.internal.server.com: Unknown host

acid:~ drew$

acid:~ drew$ host www.internal.server.com

www.server.com is an alias for host.server.com.

host.server.com has address 192.168.1.1

host.server.com mail is handled by 0 mx1.server.com.

host.server.com mail is handled by 10 mx2.server.com.

resolv.conf looks fine:

domain server.com

search loc.server.com loc2.server.com server.com loc3.server.com loc4.server.com

nameserver 192.168.1.1

nameserver 192.168.1.2

nameserver 139.130.4.4 (external DNS)

nameserver 139.130.4.5 (external DNS)

All the configs on the IOS router are just using split dns svc's for the domains in the search so it should be happy.

As mentioned, works perfectly in windows but not in mac. Anyone have any ideas?

*edit*

I've updated to the 2.5 beta for intel and it's working now. Apparently there's some problem with 2.4 release not working with the IP stack for the lookup zones and dns servers. I'll stick with the beta until the official one is released.

Re: Split-DNS value not passing to Mac OS X IPSec client

charrellc011699 — Wed, 02 Jun 2010 15:23:32 GMT

Any progress on this issue? I have a MAC user that is experiencing the Split-DNS problem using the IPSEC client as well - only queries for names in the first domain in the Split-DNS list is actually being tunneled to the corporated DNS server.

Has anyone opened a TAC case to work this issue?

Re: Split-DNS value not passing to Mac OS X IPSec client

Drew T — Thu, 03 Jun 2010 01:38:45 GMT

I'm not having an issue with 2.5.0217 client now. They recently released this from Beta. Have you tried that?