AnyConnect and Dynamic Split Tunneling Include feature

Myky · ‎09-13-2022

Hi guys,

When the Dynamic Split Tunneling Include feature is configured to inject /32 IPs based on the DNS lookups of the FQDN, how ASA knows what was the DNS response if the lookups never traverse the tunnel?
Is there some sort of DNS sniffing on your local physical adapter DNS lookups done by my virtual AnyConnect interface to let ASA know to inject /32?

Thanks,
myky

Myky · ‎09-30-2022

bump!

MHM Cisco World · ‎09-30-2022

sorry can you more elaborate ?

Myky · ‎09-30-2022

When following this link:
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215383-asa-anyconnect-dynamic-split-tunneling.html#anc14

Let's say we use split-tunnels and want to include any domain example.com inside the tunnel.
When DNS lookup happens on the client machine, how anyconnect/asa knows which IP was resolved for 1.example.com FQDN?

DNS lookups don't traverse over the tunnel, the client uses its local internet breakout.

Thanks,
myky

AnyConnect and Dynamic Split Tunneling Include feature

ASA/AnyConnect: Dynamic Split Tunneling の設定例と動作確認

AnyConnect Split Tunneling (Local Lan Access, Split Tunneling, Static & Dynamic (domain)

FTD 7.0以降: AnyConnect: Dynamic Split Tunneling の有効化方法と確認例

Dynamic Split Tunneling in AnyConnect VPN

Configure ASA/AnyConnect Dynamic Split Tunneling