Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3012
Views
5
Helpful
7
Replies

Cisco Anyconnect VPN client & "DNS leak"

Go to solution
IamSamSaul
Level 1
Level 1

‎12-13-2022 08:44 AM

Hi Team,

I got Cisco Anyconnect VPN (with Split-Tunnel) client installed on Window 10. The VPN solution is being configured on Cisco ASA. On some Windows 10 clients the users are unable to resolve internal hostnames. The DNS servers being pushed through Cisco Anyconnect VPN client are the internal DNS servers. When the users disconnect VPN client and reconnect, the DNS resolution to internal resources works fine. I have taken the following steps:

1) disabled IPv6 on NICs;

2) On VPN Global Policy I have enabled that all the DNS queries are being sent through the tunnel

I have collected DART file but I could not find anything about DNS resolving. Is there a way to investigate if there has been an issue with "DNS leaking"? Or maybe there is an issue with Cisco Anyconnect VPN client itself? 

Any suggestion will be highly appreciated. 

Thanks & Regard,

Sam

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tvotna
Spotlight
Spotlight
In response to IamSamSaul

‎12-15-2022 07:42 AM

If nslookup can connect to your corporate DNS server, but cannot resolve hostnames, this is most likely not a VPN issue. Rather, it looks like a DNS server issue. If you have split-tunneling configured, but split-DNS is not configured and tunnel-all-dns is not configured as well, Windows client can actually use both corporate and Internet DNS servers. It will try corporate DNS server over the tunnel first. If NXDOMAIN is received, it will fallback to Internet (physical adapter) DNS server. If response is received (which is sometimes the case), it will be cached. The address in response may not be actually reachable when VPN is up, depending on your topology and configuration. Maybe this is what you see. Try to collect sniffer traces when the issue appears again, but don't use nslookup or dig to send test DNS queries, - this is not a valid test.

You can also try to configure split-DNS list to make behavior more predictable or "tunnel-all-dns enable" to always send DNS requests over the tunnel (corporate DNS server will need to forward them to Internet DNS servers for Internet resources).

 

View solution in original post

7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-13-2022 08:50 AM

what is your DSL Lan IP address range ? what is your VPN pool allocation IP range ?

what is your coporate DNS Server, when you connect VPN, ipconfig /all what DNS Server you see ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
IamSamSaul
Level 1
Level 1
In response to balaji.bandi

‎12-13-2022 02:20 PM

Hi B.B,

Thanks for your reply. Below you can find the answers to your questions:

what is your DSL Lan IP address range?
172.16.1.0/24

what is your VPN pool allocation IP range ?
10.55.1.0/24

what is your coporate DNS Server, when you connect VPN, ipconfig /all what DNS Server you see ?
Corporate DNS: 10.10.10.1 and 10.10.10.2

Ethernet adapter Ethernet 2:

Connection-specific DNS Suffix . : mycompany.local
Description . . . . . . . . . . . : Cisco AnyConnect Virtual Miniport Adapter for Windows x64
Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.55.1.151(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : ::
DHCPv6 IAID . . . . . . . . . . . : 369100186
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-27-E6-32-97-34-73-5A-D0-38-97
DNS Servers . . . . . . . . . . . : 10.10.10.1
10.10.10.2
NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . : home.local
Description . . . . . . . . . . . : Intel(R) Wi-Fi 6 AX201 160MHz
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::f6a:fa70:d9fa:8e2d%8(Preferred)
IPv4 Address. . . . . . . . . . . : 172.16.1.133(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, 11 December 2022 19:56:33
Lease Expires . . . . . . . . . . : Wednesday, 14 December 2022 23:06:55
Default Gateway . . . . . . . . . : 172.16.1.254
DHCP Server . . . . . . . . . . . : 172.16.1.254
DHCPv6 IAID . . . . . . . . . . . : 105918363
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-27-E6-32-97-34-73-5A-D0-38-97
DNS Servers . . . . . . . . . . . : 1.1.1.1
9.9.9.9
NetBIOS over Tcpip. . . . . . . . : Enabled

Thanks.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to IamSamSaul

‎12-13-2022 02:27 PM - edited ‎12-13-2022 02:28 PM

thank you for the information  - coming to your problem, when you connect first time it fails - then when you do "When the users disconnect VPN client and reconnect, the DNS resolution to internal resources works fine." that works as expected.

On your ipconfig /all -when VPN not providing Gateway; Default Gateway . . . . . . . . . : ::

when it failed have you recorded the information and compare with work vs not working ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
IamSamSaul
Level 1
Level 1
In response to balaji.bandi

‎12-13-2022 02:33 PM

Thanks for your reply. 

I have compared the ipconfig/all in both situation and it's the same. When the issue occurs, I usually do nslookup and I can see the one of the Corporate DNS servers but it fails to resolve the hostname. When I disconnect and reconnect and execute the nslookup again, the internal domain resolution works. 

The issue occurs randomly. I was planning to run a Wireshark capture next time when the issue occurs and then compare the results. Can there be a possibility that it has to do with Cisco Anyconnct VPN client?

Thanks.

0 Helpful

Go to solution
tvotna
Spotlight
Spotlight
In response to IamSamSaul

‎12-15-2022 07:42 AM

If nslookup can connect to your corporate DNS server, but cannot resolve hostnames, this is most likely not a VPN issue. Rather, it looks like a DNS server issue. If you have split-tunneling configured, but split-DNS is not configured and tunnel-all-dns is not configured as well, Windows client can actually use both corporate and Internet DNS servers. It will try corporate DNS server over the tunnel first. If NXDOMAIN is received, it will fallback to Internet (physical adapter) DNS server. If response is received (which is sometimes the case), it will be cached. The address in response may not be actually reachable when VPN is up, depending on your topology and configuration. Maybe this is what you see. Try to collect sniffer traces when the issue appears again, but don't use nslookup or dig to send test DNS queries, - this is not a valid test.

You can also try to configure split-DNS list to make behavior more predictable or "tunnel-all-dns enable" to always send DNS requests over the tunnel (corporate DNS server will need to forward them to Internet DNS servers for Internet resources).

 

Go to solution
IamSamSaul
Level 1
Level 1
In response to tvotna

‎12-15-2022 03:13 PM

Hi B.B.,

Thanks for your suggestion tunnel-all-dns through the tunnel. Now I'm getting correct result. 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to IamSamSaul

‎12-16-2022 05:27 AM

glad all good and thank you for the feedback.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents