07-10-2025 01:13 PM - edited 07-10-2025 01:16 PM
I am trying to get this working to no avail. Whether I exclude the domain I want to resolve locally or include the domain I want to resolve through the tunnel the client sends all requests through the tunnel. I am specifying a DNS server on the group policy, 100.64.64.64 and it appears that regardless of whatever domain I try to dig 100.64.64.64 is always the responder. When I split exclude the users local DNS should be giving the answer but it isn't. "Send All DNS lookups through the tunnel" is set to no and I can see the domains on the include/exclude via AnyConnect client when either attribute is applied to that GP. But neither work to send a specific domain locally or a specific domain through the tunnel. All DNS is still being sent through the tunnel no matter what.
Any idea why this is?
group-policy test-GP attributes dns-server value 100.64.64.64 vpn-idle-timeout 240 vpn-session-timeout 840 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value tunnel-networks client-bypass-protocol enable msie-proxy lockdown disable anyconnect-custom dynamic-split-include-domains value inside-domain
anyconnect-custom-attr dynamic-split-exclude-domains description dynamic dns split tunneling anyconnect-custom-attr dynamic-split-include-domains description dynamic include tunneling\n anyconnect-custom-data dynamic-split-exclude-domains outside-domain outside.test.com anyconnect-custom-data dynamic-split-include-domains inside-domain inside.test.com
07-10-2025 01:18 PM
Not all OS behaive same for DNS
Check this link
MHM
07-10-2025 01:22 PM - edited 07-10-2025 01:23 PM
I saw that link but not clear on how that helps, Its MAC OSX v4 only...and I think this section applies? Only using v4 and no v6 configured anywhere. If so it should work but it doesn't. I am really just trying to send a single domain across the tunnel and allow everything else to resolve locally. Can I do that with AC and OSX?
Split-DNS (tunnel-all DNS disabled, split-include configured)
If split-DNS is enabled for both IP protocols (IPv4 and IPv6) or it is only enabled for one protocol and there is no address pool configured for the other protocol:
True split-DNS, similar to Windows, is enforced. True split-DNS means that request which matches with the split-DNS domains are only resolved via the tunnel, they are not leaked to DNS servers outside the tunnel.
07-10-2025 02:20 PM
Hi friend
The config you share in your real post is for dynamic split traffic not split dns
For split dns you need such as below
group-policy MY-GP internal
group-policy MY-GP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MY_ACL
split-dns value company.local internal.company
dns-server value 10.1.1.1 10.2.2.2
The ACL of split must inlcude the internal dns server IP
Here your Mac OS will send to resolve this internal.company via internal DNS server
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide