Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
383
Views
5
Helpful
3
Replies

AnyConnect and Dynamic Split Tunneling Include feature

Myky
Level 1
Level 1

‎09-13-2022 03:58 AM - edited ‎09-13-2022 04:02 AM

Hi guys,

When the Dynamic Split Tunneling Include feature is configured to inject /32 IPs based on the DNS lookups of the FQDN, how ASA knows what was the DNS response if the lookups never traverse the tunnel? 
Is there some sort of DNS sniffing on your local physical adapter DNS lookups done by my virtual AnyConnect interface to let ASA know to inject /32?

Thanks,
myky

Labels:
0 Helpful
3 Replies 3

Myky
Level 1
Level 1

‎09-30-2022 03:51 AM

bump!

0 Helpful

MHM Cisco World
VIP
VIP
In response to Myky

‎09-30-2022 03:55 AM

sorry can you more elaborate ?

Myky
Level 1
Level 1

‎09-30-2022 04:27 AM

When following this link:
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215383-asa-anyconnect-dynamic-split-tunneling.html#anc14

Let's say we use split-tunnels and want to include any domain example.com inside the tunnel.
When DNS lookup happens on the client machine, how anyconnect/asa knows which IP was resolved for 1.example.com FQDN?

DNS lookups don't traverse over the tunnel, the client uses its local internet breakout.

Thanks,
myky

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents