Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2237
Views
0
Helpful
4
Replies

Cannot resolve internal DNS forward lookup zones when on AnyConnect VPN other than the primary internal domain

Go to solution
davidbnbf
Level 1
Level 1

‎03-23-2020 10:08 AM - edited ‎03-23-2020 10:30 AM

We have a primary domain on internal DNS for our domain joined windows devices.  They connect to AnyConnect VPN and can resolve internal hosts on this primary internal domain.

 

We have secondary forward lookup zones for internal websites and for some reason VPN clients using Anyconnect cannot resolve these internal forward lookup zones only the primary forward lookup zone for the domain.

 

How do we allow VPN users on windows devices to resolve all of the internal DNS forward lookup zones correctly?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to davidbnbf

‎03-24-2020 06:15 AM

Hi,

 

    Configure all your domains which need to be resolved via the DNS servers assigned to the AnyConnect client, in your split DNS policy:

 

group-policy XXX attributes

 split-tunnel-all-dns disable

 split-dns value domain1.com domain2.com domain3.com

 

Regards,

Cristian Matei. 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-23-2020 10:14 AM

Hi,

 

   1. Do you have split-tunnelling or full-tunnelling for AnyConnect clients?

   2. Is the DNS server assigned to AnyConnect clients able to resolve those domains?

   3. Can these users resolve Internet resources?

   4. Post your group-policy config, and specify which domain can be resolved and which domain cannot be resolved.

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
davidbnbf
Level 1
Level 1
In response to Cristian Matei

‎03-23-2020 10:23 AM - edited ‎03-23-2020 10:31 AM

Split tunneling is ON.
Internal DNS servers are assigned to local IP pool on the VPN. We can resolve and ping these servers when on VPN.
Internet DNS resolution is working fine.
Only the default domain specified in the VPN config can be resolved when on VPN.
Additional forward lookup zones configured on our internal DNS servers do not resolve or resolve to external DNS/IPs.  We need them to resolve to internal DNS forward lookup zones when on VPN.

David

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to davidbnbf

‎03-24-2020 06:15 AM

Hi,

 

    Configure all your domains which need to be resolved via the DNS servers assigned to the AnyConnect client, in your split DNS policy:

 

group-policy XXX attributes

 split-tunnel-all-dns disable

 split-dns value domain1.com domain2.com domain3.com

 

Regards,

Cristian Matei. 

0 Helpful

Go to solution
davidbnbf
Level 1
Level 1
In response to Cristian Matei

‎03-24-2020 07:09 AM

This worked! Thank you.
0 Helpful
Customers Also Viewed These Support Documents