How to prevent DNS before Anyconnect SSL VPN Establishment

g_kevlin · ‎04-13-2017

Hello,

I have what seems to be the opposite problem of everyone else on the internet in that DNS is working too well. I have an Anyconnect VPN which terminates at an ASA 5545X. We have the latest version of anyconnect 4.4, and are in an always-on configuration that fails closed. The issue is that the clients are part of an internal domain, and since anyconnect allows DNS before tunnel establishment the client is allowed to make a bunch of queries for internal domain resources to public DNS servers. I would rather not do this using the host firewall, as the machines often move between locally connected and VPN.

Is there a way to modify what anyconnect allows pre-session establishment to prevent DNS (but still allow ARP/DHCP)? I have no problem specifying the headend by IP in the client profile or using a host file to manage the resolution for the headend.

Once the tunnel is up, everything works perfectly and all DNS is sent via the tunnel. I'm just struggling to find a way to prevent hostnoames from making it out into the wild beforehand.

Thanks for your attention.

Philip D'Ath · ‎04-13-2017

But you need DNS for AnyConnect to locate your VPN head end to connect to it ...

g_kevlin · ‎04-14-2017

Normally, but there are several ways to not have that be true.

Using an orchestration agent like puppet, we could maintain a host file on the clients that has the IP for the FQDN of the headend.

Alternatively, we could specify the IP rather than the FQDN in the anyconnect client profile (which is predeployed for us and maintained by puppet). I would just need to make sure that the cert the ASA presents has the IP as a SAN, or it would fail the strict checking required by always on.