Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15812
Views
0
Helpful
4
Replies

AnyConnect Client DNS search suffix

Delmiro Campelo
Level 1
Level 1

‎04-18-2013 05:42 AM - edited ‎02-21-2020 06:49 PM

Hello Support Community,

I have a question that I'm hoping I can get some help on, is there a way to add multiple dns search domains or dns suffix search list for anyconnect VPN anyconnect clients? I'm only able to speficy a single domain name on the connection profile, any information is appreciated. I tried using the comma but that isn't allowed.

DNS.jpg

1 person had this problem
Labels:
0 Helpful
4 Replies 4

gregbeifuss
Level 1
Level 1

‎04-25-2013 08:59 AM

Hi Delmiro,

I have this same issue, and as far as I know there's no way around this behaviour.


Here's the workaround I use: I tell VPN users who need to access resources on the other domain to use the FQDN - this way when the request hits the DNS server, it knows to forward it to another zone. If users type in the shortname (ie. server01) without the domain, the VPN client adds the default suffix and they never get a DNS response.

HTH,

Greg

0 Helpful

Delmiro Campelo
Level 1
Level 1
In response to gregbeifuss

‎04-25-2013 09:14 AM

Hi Greg,

I ended up using split-dns which basically acommplished the same exact thing for me. I don't have to use the FQDN.

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/s8.html#wp1560462

here is what I got

No split-dns

C:\Users\Delmiro>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : PC1

   Primary Dns Suffix  . . . . . . . :

   Node Type . . . . . . . . . . . . : Hybrid

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

with split-dns

C:\Users\Delmiro>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : PC1

   Primary Dns Suffix  . . . . . . . :

   Node Type . . . . . . . . . . . . : Hybrid

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : mydomain.com

                                       yourdomain.com

                                       myotherdomain.com

                                       mybrodomain.com

give it a try, let me know how it works for you.

Thanks,

Delmiro

0 Helpful

gwileyisteam
Level 1
Level 1
In response to Delmiro Campelo

‎02-22-2016 09:09 AM

I have the same issue, have two different domains (one I'm migrating off of and the one I'm migrating to).  The one I'm trying to migrate to is a parent/child domain structure.  I need my VPN users to be able to get to ALL DNS suffixes.  The link above does not work- it 404's then goes to a page that does not explain how to configure split-dns.  My outsourced network management team says that it's not possible.  The multiple DNS suffixes are in my Group Policy and any machines on the wired network pick them up and are resolved correctly, but it does not pass to the VPN clients.

Any help would be appreciated. Many thanks in advance!

0 Helpful

Mark Findlay
Level 1
Level 1
In response to gwileyisteam

‎05-19-2016 09:59 AM

I have just done this and it works fine for me.

You need to enable split tunneling using include networks, not exclude. If you do not do split tunneling it won't work I don't think.

You then need to disable send all DNS queries across VPN link by disabling split-tunnel-all-dns under the group policy.

Then specify the domains with split-dns value mydomain.com myotherdomain.com

 Reference: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect42/b_AnyConnect_Administrator_Guide_4-2/configure-vpn.html#ID-1428-000003c6

0 Helpful
Customers Also Viewed These Support Documents