Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
196
Views
0
Helpful
6
Replies

AnyConnect MAC OSX exclude/include DNS not working

the-lebowski
Level 4
Level 4

‎07-10-2025 01:13 PM - edited ‎07-10-2025 01:16 PM

I am trying to get this working to no avail.  Whether I exclude the domain I want to resolve locally or include the domain I want to resolve through the tunnel the client sends all requests through the tunnel.  I am specifying a DNS server on the group policy, 100.64.64.64 and it appears that regardless of whatever domain I try to dig 100.64.64.64 is always the responder.   When I split exclude the users local DNS should be giving the answer but it isn't.   "Send All DNS lookups through the tunnel" is set to no and I can see the domains on the include/exclude via AnyConnect client when either attribute is applied to that GP.   But neither work to send a specific domain locally or a specific domain through the tunnel.  All DNS is still being sent through the tunnel no matter what. 

Any idea why this is?

thelebowski_0-1752178339822.png

group-policy test-GP attributes
 dns-server value 100.64.64.64
 vpn-idle-timeout 240
 vpn-session-timeout 840
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value tunnel-networks
 client-bypass-protocol enable
 msie-proxy lockdown disable
 anyconnect-custom dynamic-split-include-domains value inside-domain

 

anyconnect-custom-attr dynamic-split-exclude-domains description dynamic dns split tunneling
anyconnect-custom-attr dynamic-split-include-domains description dynamic include tunneling\n

anyconnect-custom-data dynamic-split-exclude-domains outside-domain outside.test.com
anyconnect-custom-data dynamic-split-include-domains inside-domain inside.test.com

 

 

0 Helpful
6 Replies 6

the-lebowski
Level 4
Level 4
In response to MHM Cisco World

‎07-10-2025 01:22 PM - edited ‎07-10-2025 01:23 PM

I saw that link but not clear on how that helps, Its MAC OSX v4 only...and I think this section applies? Only using v4 and no v6 configured anywhere.  If so it should work but it doesn't.   I am really just trying to send a single domain across the tunnel and allow everything else to resolve locally.   Can I do that with AC and OSX?

 

Split-DNS (tunnel-all DNS disabled, split-include configured)

If split-DNS is enabled for both IP protocols (IPv4 and IPv6) or it is only enabled for one protocol and there is no address pool configured for the other protocol:
True split-DNS, similar to Windows, is enforced. True split-DNS means that request which matches with the split-DNS domains are only resolved via the tunnel, they are not leaked to DNS servers outside the tunnel.

 

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to the-lebowski

‎07-10-2025 02:20 PM

Hi friend 

The config you share in your real post is for dynamic split traffic not split dns 

For split dns you need such as below 

group-policy MY-GP internal
group-policy MY-GP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MY_ACL
split-dns value company.local internal.company
dns-server value 10.1.1.1 10.2.2.2

The ACL of split must inlcude the internal dns server IP

Here your Mac OS will send to resolve this internal.company via internal DNS server 

MHM

0 Helpful

the-lebowski
Level 4
Level 4
In response to MHM Cisco World

‎07-11-2025 03:31 PM

Ok

group-policy DNS-GP attributes
 dns-server value 100.64.64.64 100.64.64.65
 vpn-idle-timeout 240
 vpn-session-timeout 840
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Tunnel-VPN
 split-dns value inside.test.com
 split-tunnel-all-dns disable
 client-bypass-protocol enable
 msie-proxy lockdown disable

That should do it or nah? 

0 Helpful

MHM Cisco World
VIP
VIP
In response to the-lebowski

‎07-12-2025 05:17 AM

correct

the domain inside.test.com must resolve by internal DNS server 

MHM

0 Helpful

wajidhassan
Level 3
Level 3

‎07-12-2025 09:42 AM

Hi @the-lebowski ,

It sounds like the DNS split tunneling isn’t working as expected on your Mac. A few things to double-check:

  • Make sure “Send All DNS Lookups Through the Tunnel” is set to No everywhere (group policy and profile).

  • Confirm your split DNS domains are correctly set and pushed in the AnyConnect profile.

  • macOS can be tricky with DNS caching—try flushing the DNS cache or rebooting the device.

  • Also, check if the DNS server (100.64.64.64) is reachable and responding properly.

Split DNS on Mac can be a bit finicky, so testing on a Windows client might help narrow down the issue.

Hope this helps!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card