Thanks, but I cannot find any explanation on the different DNS spilt tunneling options there.  

• Split DNS—You can configure the system to send some DNS requests through the secure connection while allowing the client to send other DNS requests to the DNS servers configured on the client. You can configure the following DNS behavior:
  • Send DNS Request as per split tunnel policy: With this option, DNS requests are handled the same way as the split tunnel options are defined. If you enable split tunneling, DNS requests are sent based on the destination addresses. If you do not enable split tunneling, all DNS requests go over the protected connection.
  • Always send DNS requests over tunnel: Select this option if you enable split tunneling, but you want all DNS requests sent through the protected connection to the DNS servers defined for the group.
  • Send only specified domains over tunnel: Select this option if you want your protected DNS servers to resolve addresses for certain domains only. Then, specify those domains, separating domain names with commas. For example, example.com, example1.com. Use this option if you want your internal DNS servers to resolve names for internal domains, while external DNS servers handle all other Internet traffic.

I've seen that explanation in the official Cisco documentation, but is the first option - Send DNS Request as per split tunnel policy - that confuses me. When testing this in my lab with a split tunneling Group Policy, all DNS request was sent to the internal DNS server configured in the group policy.

The only time it choose the DNS servers I got from my ISP, was when I shut down the internal DNS server.

nslookup didn't work at all, but I could still reach other domains, using my ISP assigned DNS servers. 

So my conclusion is that this option works as a fallback in case the internal DNS servers are not reachable.

/Chess