cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
126
Views
0
Helpful
3
Replies

AnyConnect MAC OSX exclude/include DNS not working

the-lebowski
Level 4
Level 4

I am trying to get this working to no avail.  Whether I exclude the domain I want to resolve locally or include the domain I want to resolve through the tunnel the client sends all requests through the tunnel.  I am specifying a DNS server on the group policy, 100.64.64.64 and it appears that regardless of whatever domain I try to dig 100.64.64.64 is always the responder.   When I split exclude the users local DNS should be giving the answer but it isn't.   "Send All DNS lookups through the tunnel" is set to no and I can see the domains on the include/exclude via AnyConnect client when either attribute is applied to that GP.   But neither work to send a specific domain locally or a specific domain through the tunnel.  All DNS is still being sent through the tunnel no matter what. 

Any idea why this is?

thelebowski_0-1752178339822.png

group-policy test-GP attributes
 dns-server value 100.64.64.64
 vpn-idle-timeout 240
 vpn-session-timeout 840
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value tunnel-networks
 client-bypass-protocol enable
 msie-proxy lockdown disable
 anyconnect-custom dynamic-split-include-domains value inside-domain

 

anyconnect-custom-attr dynamic-split-exclude-domains description dynamic dns split tunneling
anyconnect-custom-attr dynamic-split-include-domains description dynamic include tunneling\n

anyconnect-custom-data dynamic-split-exclude-domains outside-domain outside.test.com
anyconnect-custom-data dynamic-split-include-domains inside-domain inside.test.com

 

 

3 Replies 3

I saw that link but not clear on how that helps, Its MAC OSX v4 only...and I think this section applies? Only using v4 and no v6 configured anywhere.  If so it should work but it doesn't.   I am really just trying to send a single domain across the tunnel and allow everything else to resolve locally.   Can I do that with AC and OSX?

 

Split-DNS (tunnel-all DNS disabled, split-include configured)

If split-DNS is enabled for both IP protocols (IPv4 and IPv6) or it is only enabled for one protocol and there is no address pool configured for the other protocol:
True split-DNS, similar to Windows, is enforced. True split-DNS means that request which matches with the split-DNS domains are only resolved via the tunnel, they are not leaked to DNS servers outside the tunnel.

 

 

Hi friend 

The config you share in your real post is for dynamic split traffic not split dns 

For split dns you need such as below 

group-policy MY-GP internal
group-policy MY-GP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MY_ACL
split-dns value company.local internal.company
dns-server value 10.1.1.1 10.2.2.2

The ACL of split must inlcude the internal dns server IP

Here your Mac OS will send to resolve this internal.company via internal DNS server 

MHM

Review Cisco Networking for a $25 gift card