3G Testing
For this testing, AnyConnect 2.4.4009 was used
default-domain: abc.com
split-tunnel-list: 10.0.0.0/8, 172.16.0.0/16
Using safari browser
Scenario 1: default domain defined, split tunneling defined, no split-dns defined
- Browse to: www.cnn.com - DNS was not sent to internal DNS server - resolved by external dns 3G server
- Browse to: fakeserver1 - DNS request for fakeserver1.abc.com was sent to internal dns server defined in group-policy. When that dns server did not respond, safari changed the resolution to www.fakeserver1.com resolution requests for www.fakeserver1.abc.com.abc.com were sent to the DNS server.
- Browse to: haha.abc.com - DNS request for haha.abc.com was sent to internal dns server defined in group-policy. When that dns server did not respond, resolution requests for haha.abc.com.abc.com were sent to the DNS server.
- Browse to: www - DNS request for www.abc.com was sent to internal dns server defined in group-policy. When that dns server did not respond, safari changed the resolution to www.www.com and it was resolved externally by the 3G DNS servers.
Scenario 2: default domain defined, split tunneling defined, split-dns defined
- Browse to: www.cnn.com - DNS was not sent to internal DNS server, resolved by external dns 3G server
- Browse to: fakeserver2: DNS request for fakeserver2.abc.com was sent to internal dns server defined in group-policy. When that dns server did not respond, safari switched the name to www.fakeserver2.com. Then a request for www.fakeserver2.com.abc.com was sent to the internal DNS server
- Browse to haha2.abc.com: DNS request for haha2.abc.com was sent to internal dns server defined in group-policy. Then a request for haha2.abc.com.abc.com was sent to the internal DNS server
- Browse to: www - DNS request for www.abc.com was sent to internal dns server defined in group-policy. When that dns server did not respond, safari changed the resolution to www.www.com and it was resolved externally by the 3G DNS servers
Scenario 3: default domain defined, all traffic tunneled, no split-dns defined
- Browse to: www.cnn.com - DNS was sent to internal DNS server, when that didn't respond, requests for www.cnn.com.abc.com were seen by internal dns server defined by the group-policy
- Browse to: fakeserver3: DNS request for fakeserver3.abc.com was sent to internal dns server defined in group-policy.
- Browse to haha3.abc.com: DNS request for haha3.abc.com was sent to internal dns server defined in group-policy. Then a request for haha3.abc.com.abc.com was sent to the internal DNS server
- Browse to: www - DNS request for www.abc.com was sent to internal dns server defined in group-policy.
Scenario 4: default domain defined, all traffic tunneled, split-dns defined
- Browse to: www.cnn.com - DNS was sent to internal DNS server, when that didn't respond, requests for www.cnn.com.abc.com were seen by internal dns server defined by the group-policy
- Browse to: fakeserver4: DNS request for fakeserver4.abc.com was sent to internal dns server defined in group-policy.
- Browse to haha4.abc.com: DNS request for haha4.abc.com was sent to internal dns server defined in group-policy. Then a request for haha3.abc.com.abc.com was sent to the internal DNS server
- Browse to: www - DNS request for www.abc.com was sent to internal dns server defined in group-policy.
Conclusions:
1) you can't use split-dns with full tunneling to make DNS requests go to the 3G DNS server
2) with split tunneling defined, only dns request for the default-domain or split-dns value are sent to the DNS server defined in the group-policy
3) You will only see 'double dns suffix issues' ie: www.abc.com.abc.com if the resolution for www.abc.com has failed (server returns NX domain, doesn't respond, etc). Anyconnect will then append the default-dns suffix defined in the group-policy onto the DNS request, so you could have a request such as www.cnn.com.abc.com, if you tried to resolve www.cnn.com and failed, and your default-dns was set to abc.com.