PIX 6.2(2) and Split-DNS

m.brabec · ‎07-22-2002

We are running a PIX 515 v6.2(2) with Cisco VPN Client 3.5.2C. I was very glad to find a new feature called split-dns.

I tried to implement it similar to checkpoint's split dns but without any success.

Since that feature is very helpful but nearly not documented, does anybody know details about the PIX/Client behaviour or how to successfully implement this feature.

gfullage · ‎07-22-2002

Split DNS is not going to be implemented in the VPN client until v3.6, and even then it will probably only be a client-to-concentrator feature, not a client-to-PIX for a while.

Where are you seeing the split-DNS function? If you're referring to being able to push down a DNS server to the VPN client from the PIX, that's not really split-DNS. Once this DNS server is pushed down, ALL DNS requests from the PC will go to that DNS server from then on.

The domain name that is also pushed down to the client from the PIX is merely the default domain name, so that if a user tries to connect to a hostname, that domain name will be appended to it. Again though, all DNS queries to any domain will still be done to the DNS server that is pushed down.

m.brabec · ‎07-23-2002

Glenn,

take a look at the documentation ("vpngroup group_name split-dns") - I do not talk about the simple/basic configuration....!

Manfred.

gfullage · ‎07-23-2002

Hmmm, correct. It is in the PIX, but still not in the VPN client until v3.6. Split DNS needs to be passed down from the PIX, but it's still a client feature to say that if you're pinging such and such a domain then use this DNS, but if you're pinging this other domain, use that DNS. Similar to the way split tunnelling works, it needs both sides to include the feature, and currently, split-DNS is not in the client.

m.brabec · ‎07-24-2002

What's the release schedule for 3.6? Is there any beta client available?