Solved: Re: Split Tunnelung and DNS - understanding

hash2k2 · ‎08-05-2020

Hi,

I have some troubles to understand, how DNS and split tunneling is working.

In our group policy we have configured "Send All DNS Lookups Through Tunnel" -> no; split-tunnel-all-dns disabled

At home I am using a Pi-Hole which is dns for all clients.
If I am connected to vpn and enter nslookup in windows cmd, I can see our company dns server ip being used.

Now I am opening a browser and go to www.bmw.com for example. I can see this dns request on my Pi-Hole.

If I go to an internal website, I can't see it on the Pi-Hole.

Where is the decision made? How does the system know, where to send the dns request before it knows if the target is tunneled or not?

Mohammed al Baqari · ‎08-05-2020

Hi,

The option you use will force all DNS queries to go through the tunnel to
resolve from the configured DNS servers in your ASA group-policy. However,
if the dNS servers can't resolve the specified domain, it will try to
resolve through your Pi-Hole as last resort. Refer to this.

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116016-technote-AnyConnect-00.html

**** please remember to rate useful posts

View solution in original post

Mohammed al Baqari · ‎08-05-2020

Hi,

The option you use will force all DNS queries to go through the tunnel to
resolve from the configured DNS servers in your ASA group-policy. However,
if the dNS servers can't resolve the specified domain, it will try to
resolve through your Pi-Hole as last resort. Refer to this.

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116016-technote-AnyConnect-00.html

**** please remember to rate useful posts