Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1605
Views
5
Helpful
14
Replies

How to exclude DNS via anyconnect

jewfcb001
Level 4
Level 4

‎10-04-2022 12:44 AM

Hi All ,

Now , I configure ASA for Client VPN via anyconnect and configure split-dns on group-policy 

If some IP or domain I need to use dns local (network adapter) . What is the edit configuration ? 

 

 

Labels:
0 Helpful
14 Replies 14

Aref Alsouqi
VIP
VIP

‎10-04-2022 02:14 AM

When you configure split DNS on the ASA you will define the domain names of which their FQDNs will be resolved over the VPN tunnel. Any thing setting outside those domains will be using the local DNS configured on the interface.

0 Helpful

jewfcb001
Level 4
Level 4
In response to Aref Alsouqi

‎10-04-2022 02:47 AM

@Aref Alsouqi 

Thank you for answer . But  The customer need to using local DNS .and The customer try to connect web application not via the tunnel . It's still use DNS from DNS Split . Can we need configure exclude dns ?

Aref Alsouqi
VIP
VIP

‎10-06-2022 01:15 AM

You welcome. Are those applications reachable via the company domain name?

0 Helpful

jewfcb001
Level 4
Level 4
In response to Aref Alsouqi

‎10-06-2022 01:30 AM

@Aref Alsouqi 

Are those applications reachable via the company domain name?

- Yes , but after client connected vpn , they get split dns and domain from firewall  i see some information from cisco site can configure exclude xxx.yy  following link belo. I'm not sure this solution can solve my issue ?

https://community.cisco.com/t5/security-knowledge-base/dynamic-split-tunneling-in-anyconnect-vpn/tac-p/4698135#M7684

  

 

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-06-2022 01:57 AM

I think in that case you can exclude the IP addresses of those applications from the split tunnel access list.

0 Helpful

jewfcb001
Level 4
Level 4
In response to Aref Alsouqi

‎10-06-2022 02:03 AM

@Aref Alsouqi 

I think your recommend look so good but I think the customer cannot change the split tunnel access-list. 

 

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-07-2022 07:51 AM

Maybe they can push a GPO adding the applications DNS entries into the endpoints hosts file.

0 Helpful

jewfcb001
Level 4
Level 4
In response to Aref Alsouqi

‎10-08-2022 07:26 PM

@Aref Alsouqi  

You mean . If GPO add DNS entries and Client will go to dns local or not ?

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-09-2022 03:40 AM

Say without a GPO the client will try to resolve "application.company.com" via the tunnel, that will go with the company DNS server. Now if you add a DNS entry in the client's hosts file, you can create the entry with whatever public IP should be used to reach the "application.company.com", for example:

1.1.1.1   application.company.com

In that case when the client tries to resolve the "application.company.com" it will use the public IP 1.1.1.1 because the hosts file takes precedence over DNS server on the client, regardless, if the DNS server is local or via the tunnel.

0 Helpful

jewfcb001
Level 4
Level 4
In response to Aref Alsouqi

‎10-10-2022 06:39 PM

@Aref Alsouqi 

I clear for your information . I think . the customer need to clarify ip of server that client  reach .

If ip of server stay in split-tunnel  it's will exclude this ip from split-tunnel . then if client get GPO dns-server from local . It's will go to web-server via local dns .  My understand is correct ?

0 Helpful

Aref Alsouqi
VIP
VIP
In response to jewfcb001

‎10-11-2022 01:44 AM

Yes, if you add the company domain to the split DNS, any traffic that would be destined to anything belonging to ".company.com" domain will be resolved over the VPN tunnel. However, when you add the DNS entries inside the clients hosts file those entries will take precedence. You can test that yourself. Try to resolve anything through your local DNS, and then add that FQDN to your hosts file pointing to a different IP than the one that was resolved through your local DNS server(s) and test again, you will see that this time the resolution will match what you have added into the hosts file.

0 Helpful

MHM Cisco World
VIP
VIP

‎10-09-2022 09:35 AM

Hi friend, 
first what is Anyconnect client OS ?
second do you config Tunnel-all or Split-tunnel ?

0 Helpful

jewfcb001
Level 4
Level 4
In response to MHM Cisco World

‎10-10-2022 06:35 PM

@MHM Cisco World 

We configure split-tunnel 

0 Helpful

MHM Cisco World
VIP
VIP
In response to jewfcb001

‎10-11-2022 02:50 PM

according to cisco Doc. any not split-DNS domain will use any DNS server to resolve. 
so check the DNS server in your client. 

DNS requests, which matches with the split-dns domains are allowed to any DNS servers, as long as they originate from the VPN adapter. If the query is originated by the public interface, AnyConnect driver responds with a "no such name" to force the resolver to always use the tunnel for name resolution. Therefore, the split-dns domains can only be resolved via tunnel.

DNS requests, which does not match with the split-dns domains are allowed to any DNS servers as long as they originate from the physical adapter. If the query is originated by the VPN adapter, AnyConnect responds with "no such name" to force the resolver to always attempt the name resolution via the public interface. Therefore, the non split-dns domains can only be resolved via public interface.

0 Helpful
Customers Also Viewed These Support Documents