I am seeing some AnyConnect clients resolving to their local DNS instead of the ASA assigned DNS servers. We have no split tunneling enabled and are forcing AnyConnect clients to use our internal DNS servers (the TAC verified this in our config). All client traffic is forced into our network and then out our Internet connections. On our Internet firewall, we see VPN client addresses going out our Internet connection to resolve against public DNS servers (comcast, etc), which we do not want to permit. Has anyone seen this and is there a way to prevent it?
Thanks.
