Hello,

Are you facing issues with local DNS resolution through the VPN tunnel?

If yes, you can check the group-policy attributes for the specific value.

If you are looking for best practices, you can configure the following three options for DNS with Anyconnect:

1. Split DNS -  The DNS queries which match the domain names, are configured on the Cisco Adaptive Security Appliance (ASA). They move through the tunnel (to the DNS servers that are defined on the ASA, for example) while others do not.
   
   
2. Tunnel-all-DNS - Only DNS traffic to the DNS servers which are defined by the ASA is allowed. This setting is configured in the group policy.
   
   
3. Standard DNS - All of the DNS queries move through the DNS servers which are defined by the ASA. In the case of a negative response, the DNS queries might also go to the DNS servers which are configured on the physical adapter.

You can also check the following link for more clarity on DNS behavior with Anyconnect:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116016-technote-AnyConnect-00.html#anc1

Regards,

Aditya

Please rate helpful posts

Hi,

Thanks for the reply 

"Split DNS -  The DNS queries which match the domain names, are configured on the Cisco Adaptive Security Appliance (ASA). They move through the tunnel (to the DNS servers that are defined on the ASA, for example) while others do not."

When you say " DNS servers that are defined on the ASA"  means the DNS server's configured on the ASA firewall or in the tunnel or group policy 

The DNS queries which match the domain names, you mean the domain name is configured on the firewall or in the group policy ? 

What if we have  split domain like test.local and test.com ?

 test.com (it's a forward zone in the same test.local dns server (eg:192.168.1.100)
test.com also resolves to  private ip addresses

this is my current configuration
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 192.168.1.100
domain-name test.local

Thanks  

Hello,

All the values would be under the group-policy. You can add multiple values/domains under the group-policy.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1597902

Hi,

Do we have any options in cisco anyconnect using FTD firewall for blocking non-windows joined machines and allow only domain computers to connect to anyconnect ?

Thanks

Basavaraj

Hi Basavaraj,

You can use machine certificate authentication for AnyConnect users to ensure that only domain machines can join. Config guide - https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/firepower_threat_defense_remote_access_vpns.html#id_login_via_clientcert

Here you go:

https://community.cisco.com/t5/security-documents/steps-to-configure-group-lock-for-vpn-users-on-microsoft-radius/ta-p/3151643

https://community.cisco.com/t5/security-documents/asa-ssl-vpn-tunnel-group-group-url-and-group-alias-selection/ta-p/3111990

Hi,

If I understand, you are looking to enforce DLP for BYOD users. The best way to do this on the FTD would be to have the BYOD users connect to a separate connection profile/group-policy. I would give this connection a different address pool from the domain users. You can then use application filters on the FTD access policy to block file transfer protocols for the BYOD VPN pool. Keep in mind that FTD is not a true DLP application, but the application filter will help accomplish what you need to do - https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/rule_management_common_characteristics.html#id_16281

HTH

Hi,

Thanks for the reply . 

I have tried all split-dns ,standard ,tunnel all dns ... Still I cannot resolve (Dns server is reachable from the server ) . I am using anyconnect 4.8 and asa code 9.2 

Please advise