Showing results for 
Search instead for 
Did you mean: 

Split-DNS value not passing to Mac OS X IPSec client


I have a MacOS X IPSec client that isn't receiving the split-dns setup from my ASA 5505.

Here's the relevant data from my ASA device:

group-policy vpnpolicy attributes

wins-server none

dns-server value

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list

default-domain value

split-dns value

tunnel-group myvpn type remote-access

tunnel-group myvpn general-attributes

address-pool vpnpool

authentication-server-group vpn

authentication-server-group (inside) vpn

default-group-policy vpnpolicy

The second domain isn't being passed to the client. Here's the resolv.conf before/after IPSec connection:

mark-petersons-macbook-pro:~ peterson$ more /etc/resolv.conf




/etc/resolv.conf (END)

mark-petersons-macbook-pro:~ peterson$ more /etc/resolv.conf





/etc/resolv.conf (END)

Any ideas what the problem could be?

12 Replies 12

Frequent Contributor
Frequent Contributor

When an ISP's DNS server is included in the Split Tunneling Network List and Split DNS Names are configured, all DNS queries to domains other than those in the Split DNS Names list are not resolved.

By definition, split DNS is used so that only certain domains get resolved by corporate DNS servers, while rest go to public (ISP-assigned) DNS servers. To enforce this feature, the VPN Client directs DNS queries that are about hosts on the Split DNS Names list to corporate DNS servers, and discards all DNS queries that are not part of the Split DNS Names list.

The problem occurs when the ISP-assigned DNS servers are in the range of the Split Tunneling Network List. In that case, all DNS queries for non-split-DNS domains are discarded by the VPN Client.

To avoid this problem, remove the ISP-assigned DNS server from the range of the Split Tunneling Network List, or do not configure split DNS (CSCee66180).

I'm not quite sure I understand. My home ISP is assigning me two DNS servers - and My corporate DNS server - as configured by my VPN settings on the ASA - is

There is no overlap between my split-tunnel list and the 2 ISP-assigned DNS servers. The split-tunnel list includes 192.168.1.x, 192.168.2.x, 192.168.10.x, and 192.168.99.x. That's it. The problem is that the second domain that I've specified in my search list isn't being passed on to the client. I've even tried switching the order of the domains - no luck.

Any other suggestions?

Did you get any solutions for this problem? I am experiencing similar issue trying to configure split-dns for my sslVPN users using anyconnect vpn client version 2.3.2016.

It is now on AnyConnect 2.4. From the release notes:

New Feature Overviews

The following sections describe the new features in Release 2.4:

•Split DNS Fallback

Split DNS Fallback

If the group policy on the security appliance specifies the names of the domains to be tunneled, AnyConnect tunnels only DNS queries that match those domains. It refuses all other DNS queries. The DNS resolver receives the refusal from the client and retries, this time using the public interface instead of AnyConnect.

This feature requires that you:

•Configure at least one DNS server

•Enable split-tunneling

Drew T

Seeing a similar issue with AnyConnect 2.4.1012.

Config I have on a IOS device works perfectly on a Windows client, but on a Mac OS X 10.5 client it's not playing ball.

In terminal, I can do a 'host' on a server that resides at the other end of the SSL VPN, but if I try and ping it, it's replying that the host is unknown:

(host names changed)

acid:~ drew$ ping

ping: cannot resolve Unknown host

acid:~ drew$

acid:~ drew$ host is an alias for has address mail is handled by 0 mail is handled by 10
resolv.conf looks fine:
nameserver (external DNS)
nameserver (external DNS)
All the configs on the IOS router are just using split dns svc's for the domains in the search so it should be happy.
As mentioned, works perfectly in windows but not in mac. Anyone have any ideas?
I've updated to the 2.5 beta for intel and it's working now. Apparently there's some problem with 2.4 release not working with the IP stack for the lookup zones and dns servers. I'll stick with the beta until the official one is released.


Any progress on this issue?  I have a MAC user that is experiencing the Split-DNS problem using the IPSEC client as well - only queries for names in the first domain in the Split-DNS list is actually being tunneled to the corporated DNS server.

Has anyone opened a TAC case to work this issue?

I'm not having an issue with 2.5.0217 client now. They recently released this from Beta. Have you tried that?

I opened a TAC case as the 2.5 client is still not working here. The Windows version works fine. Will keep you guys posted.

Just got a reply from Cisco, this is a confirmed bug [CSCtf20226] in Mac OS X 10.6. Their workaround is to explicitly define external DNS servers. I used the Google public DNS servers and this indeed works as expected.

(config-webvpn-group)#svc dns-server primary

(config-webvpn-group)#svc dns-server secondary

Hope this helps anyone.


     I want to thank you.  You are a life-saver.  However, I want to go a step further in the solution you propose.  If you go to this link below, you will find a document titled "PIX/ASA: perform DNS Doctoring with the Static Command and Two NAT Interfaces"

     While the majority of the content doesn't pertain to this issue, there is a portion that most certainly does - under the heading "Split-DNS Configuration".  There, it tells you that you can create a domain list that specifies specififc domains - that if matched - will force ALL TRAFFIC FOR THAT DOMAIN through the tunnel.  Therefore, if you have services in your company that need to be accessed via VPN over the browser and you are experiencing issues due to the split-tunnel, create a domain list under the the tunnel's group-policy like this:

yourfirewall(config)# group-policy VPN-POLICY attributes

yourfirewall(config-group-policy)# split-dns

yourfirewall(config-group-policy)# end


Now, all traffic with a domain suffix of "" will always be directed through the tunnel.  Remember that you need to define internal DNS servers under the policy as well if you intend to resolve those internal domain hostnames.

Hi Fisher,

Appreciate the thanks, please rate my answer if it helped you so others can also find it quickly.

For this customer this wasn't an option as he doesn't run his own DNS. The network is too small to warrant that. That being said, your hint might prove useful in a different case. Thanks for the update!


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers